<html><body>
<style>

body, h1, h2, h3, div, span, p, pre, a {
  margin: 0;
  padding: 0;
  border: 0;
  font-weight: inherit;
  font-style: inherit;
  font-size: 100%;
  font-family: inherit;
  vertical-align: baseline;
}

body {
  font-size: 13px;
  padding: 1em;
}

h1 {
  font-size: 26px;
  margin-bottom: 1em;
}

h2 {
  font-size: 24px;
  margin-bottom: 1em;
}

h3 {
  font-size: 20px;
  margin-bottom: 1em;
  margin-top: 1em;
}

pre, code {
  line-height: 1.5;
  font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
}

pre {
  margin-top: 0.5em;
}

h1, h2, h3, p {
  font-family: Arial, sans serif;
}

h1, h2, h3 {
  border-bottom: solid #CCC 1px;
}

.toc_element {
  margin-top: 0.5em;
}

.firstline {
  margin-left: 2 em;
}

.method  {
  margin-top: 1em;
  border: solid 1px #CCC;
  padding: 1em;
  background: #EEE;
}

.details {
  font-weight: bold;
  font-size: 14px;
}

</style>

<h1><a href="osconfig_v2.html">OS Config API</a> . <a href="osconfig_v2.projects.html">projects</a> . <a href="osconfig_v2.projects.locations.html">locations</a> . <a href="osconfig_v2.projects.locations.global_.html">global_</a> . <a href="osconfig_v2.projects.locations.global_.policyOrchestrators.html">policyOrchestrators</a></h1>
<h2>Instance Methods</h2>
<p class="toc_element">
  <code><a href="#close">close()</a></code></p>
<p class="firstline">Close httplib2 connections.</p>
<p class="toc_element">
  <code><a href="#create">create(parent, body=None, policyOrchestratorId=None, requestId=None, x__xgafv=None)</a></code></p>
<p class="firstline">Creates a new policy orchestrator under the given project resource. `name` field of the given orchestrator are ignored and instead replaced by a product of `parent` and `policy_orchestrator_id`. Orchestrator state field might be only set to `ACTIVE`, `STOPPED` or omitted (in which case, the created resource will be in `ACTIVE` state anyway).</p>
<p class="toc_element">
  <code><a href="#delete">delete(name, etag=None, requestId=None, x__xgafv=None)</a></code></p>
<p class="firstline">Deletes an existing policy orchestrator resource, parented by a project.</p>
<p class="toc_element">
  <code><a href="#get">get(name, x__xgafv=None)</a></code></p>
<p class="firstline">Retrieves an existing policy orchestrator, parented by a project.</p>
<p class="toc_element">
  <code><a href="#list">list(parent, filter=None, orderBy=None, pageSize=None, pageToken=None, x__xgafv=None)</a></code></p>
<p class="firstline">Lists the policy orchestrators under the given parent project resource.</p>
<p class="toc_element">
  <code><a href="#list_next">list_next()</a></code></p>
<p class="firstline">Retrieves the next page of results.</p>
<p class="toc_element">
  <code><a href="#patch">patch(name, body=None, updateMask=None, x__xgafv=None)</a></code></p>
<p class="firstline">Updates an existing policy orchestrator, parented by a project.</p>
<h3>Method Details</h3>
<div class="method">
    <code class="details" id="close">close()</code>
  <pre>Close httplib2 connections.</pre>
</div>

<div class="method">
    <code class="details" id="create">create(parent, body=None, policyOrchestratorId=None, requestId=None, x__xgafv=None)</code>
  <pre>Creates a new policy orchestrator under the given project resource. `name` field of the given orchestrator are ignored and instead replaced by a product of `parent` and `policy_orchestrator_id`. Orchestrator state field might be only set to `ACTIVE`, `STOPPED` or omitted (in which case, the created resource will be in `ACTIVE` state anyway).

Args:
  parent: string, Required. The parent resource name in the form of: * `organizations/{organization_id}/locations/global` * `folders/{folder_id}/locations/global` * `projects/{project_id_or_number}/locations/global` (required)
  body: object, The request body.
    The object takes the form of:

{ # PolicyOrchestrator helps managing project+zone level policy resources (e.g. OS Policy Assignments), by providing tools to create, update and delete them across projects and locations, at scale. Policy orchestrator functions as an endless loop. Each iteration orchestrator computes a set of resources that should be affected, then progressively applies changes to them. If for some reason this set of resources changes over time (e.g. new projects are added), the future loop iterations will address that. Orchestrator can either upsert or delete policy resources. For more details, see the description of the `action`, and `orchestrated_resource` fields. Note that policy orchestrator do not &quot;manage&quot; the resources it creates. Every iteration is independent and only minimal history of past actions is retained (apart from Cloud Logging). If orchestrator gets deleted, it does not affect the resources it created in the past. Those will remain where they were. Same applies if projects are removed from the orchestrator&#x27;s scope.
  &quot;action&quot;: &quot;A String&quot;, # Required. Action to be done by the orchestrator in `projects/{project_id}/zones/{zone_id}` locations defined by the `orchestration_scope`. Allowed values: - `UPSERT` - Orchestrator will create or update target resources. - `DELETE` - Orchestrator will delete target resources, if they exist
  &quot;createTime&quot;: &quot;A String&quot;, # Output only. Timestamp when the policy orchestrator resource was created.
  &quot;description&quot;: &quot;A String&quot;, # Optional. Freeform text describing the purpose of the resource.
  &quot;etag&quot;: &quot;A String&quot;, # Output only. This checksum is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
  &quot;labels&quot;: { # Optional. Labels as key value pairs
    &quot;a_key&quot;: &quot;A String&quot;,
  },
  &quot;name&quot;: &quot;A String&quot;, # Immutable. Identifier. In form of * `organizations/{organization_id}/locations/global/policyOrchestrators/{orchestrator_id}` * `folders/{folder_id}/locations/global/policyOrchestrators/{orchestrator_id}` * `projects/{project_id_or_number}/locations/global/policyOrchestrators/{orchestrator_id}`
  &quot;orchestratedResource&quot;: { # Represents a resource that is being orchestrated by the policy orchestrator. # Required. Resource to be orchestrated by the policy orchestrator.
    &quot;id&quot;: &quot;A String&quot;, # Optional. ID of the resource to be used while generating set of affected resources. For UPSERT action the value is auto-generated during PolicyOrchestrator creation when not set. When the value is set it should following next restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the project. For DELETE action, ID must be specified explicitly during PolicyOrchestrator creation.
    &quot;osPolicyAssignmentV1Payload&quot;: { # OS policy assignment is an API resource that is used to apply a set of OS policies to a dynamically targeted group of Compute Engine VM instances. An OS policy is used to define the desired state configuration for a Compute Engine VM instance through a set of configuration resources that provide capabilities such as installing or removing software packages, or executing a script. For more information about the OS policy resource definitions and examples, see [OS policy and OS policy assignment](https://cloud.google.com/compute/docs/os-configuration-management/working-with-os-policies). # Optional. OSPolicyAssignment resource to be created, updated or deleted. Name field is ignored and replace with a generated value. With this field set, orchestrator will perform actions on `project/{project}/locations/{zone}/osPolicyAssignments/{resource_id}` resources, where `project` and `zone` pairs come from the expanded scope, and `resource_id` comes from the `resource_id` field of orchestrator resource.
      &quot;baseline&quot;: True or False, # Output only. Indicates that this revision has been successfully rolled out in this zone and new VMs will be assigned OS policies from this revision. For a given OS policy assignment, there is only one revision with a value of `true` for this field.
      &quot;deleted&quot;: True or False, # Output only. Indicates that this revision deletes the OS policy assignment.
      &quot;description&quot;: &quot;A String&quot;, # OS policy assignment description. Length of the description is limited to 1024 characters.
      &quot;etag&quot;: &quot;A String&quot;, # The etag for this OS policy assignment. If this is provided on update, it must match the server&#x27;s etag.
      &quot;instanceFilter&quot;: { # Filters to select target VMs for an assignment. If more than one filter criteria is specified below, a VM will be selected if and only if it satisfies all of them. # Required. Filter to select VMs.
        &quot;all&quot;: True or False, # Target all VMs in the project. If true, no other criteria is permitted.
        &quot;exclusionLabels&quot;: [ # List of label sets used for VM exclusion. If the list has more than one label set, the VM is excluded if any of the label sets are applicable for the VM.
          { # Message representing label set. * A label is a key value pair set for a VM. * A LabelSet is a set of labels. * Labels within a LabelSet are ANDed. In other words, a LabelSet is applicable for a VM only if it matches all the labels in the LabelSet. * Example: A LabelSet with 2 labels: `env=prod` and `type=webserver` will only be applicable for those VMs with both labels present.
            &quot;labels&quot;: { # Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected.
              &quot;a_key&quot;: &quot;A String&quot;,
            },
          },
        ],
        &quot;inclusionLabels&quot;: [ # List of label sets used for VM inclusion. If the list has more than one `LabelSet`, the VM is included if any of the label sets are applicable for the VM.
          { # Message representing label set. * A label is a key value pair set for a VM. * A LabelSet is a set of labels. * Labels within a LabelSet are ANDed. In other words, a LabelSet is applicable for a VM only if it matches all the labels in the LabelSet. * Example: A LabelSet with 2 labels: `env=prod` and `type=webserver` will only be applicable for those VMs with both labels present.
            &quot;labels&quot;: { # Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected.
              &quot;a_key&quot;: &quot;A String&quot;,
            },
          },
        ],
        &quot;inventories&quot;: [ # List of inventories to select VMs. A VM is selected if its inventory data matches at least one of the following inventories.
          { # VM inventory details.
            &quot;osShortName&quot;: &quot;A String&quot;, # Required. The OS short name
            &quot;osVersion&quot;: &quot;A String&quot;, # The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions.
          },
        ],
      },
      &quot;name&quot;: &quot;A String&quot;, # Resource name. Format: `projects/{project_number}/locations/{location}/osPolicyAssignments/{os_policy_assignment_id}` This field is ignored when you create an OS policy assignment.
      &quot;osPolicies&quot;: [ # Required. List of OS policies to be applied to the VMs.
        { # An OS policy defines the desired state configuration for a VM.
          &quot;allowNoResourceGroupMatch&quot;: True or False, # This flag determines the OS policy compliance status when none of the resource groups within the policy are applicable for a VM. Set this value to `true` if the policy needs to be reported as compliant even if the policy has nothing to validate or enforce.
          &quot;description&quot;: &quot;A String&quot;, # Policy description. Length of the description is limited to 1024 characters.
          &quot;id&quot;: &quot;A String&quot;, # Required. The id of the OS policy with the following restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the assignment.
          &quot;mode&quot;: &quot;A String&quot;, # Required. Policy mode
          &quot;resourceGroups&quot;: [ # Required. List of resource groups for the policy. For a particular VM, resource groups are evaluated in the order specified and the first resource group that is applicable is selected and the rest are ignored. If none of the resource groups are applicable for a VM, the VM is considered to be non-compliant w.r.t this policy. This behavior can be toggled by the flag `allow_no_resource_group_match`
            { # Resource groups provide a mechanism to group OS policy resources. Resource groups enable OS policy authors to create a single OS policy to be applied to VMs running different operating Systems. When the OS policy is applied to a target VM, the appropriate resource group within the OS policy is selected based on the `OSFilter` specified within the resource group.
              &quot;inventoryFilters&quot;: [ # List of inventory filters for the resource group. The resources in this resource group are applied to the target VM if it satisfies at least one of the following inventory filters. For example, to apply this resource group to VMs running either `RHEL` or `CentOS` operating systems, specify 2 items for the list with following values: inventory_filters[0].os_short_name=&#x27;rhel&#x27; and inventory_filters[1].os_short_name=&#x27;centos&#x27; If the list is empty, this resource group will be applied to the target VM unconditionally.
                { # Filtering criteria to select VMs based on inventory details.
                  &quot;osShortName&quot;: &quot;A String&quot;, # Required. The OS short name
                  &quot;osVersion&quot;: &quot;A String&quot;, # The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions.
                },
              ],
              &quot;resources&quot;: [ # Required. List of resources configured for this resource group. The resources are executed in the exact order specified here.
                { # An OS policy resource is used to define the desired state configuration and provides a specific functionality like installing/removing packages, executing a script etc. The system ensures that resources are always in their desired state by taking necessary actions if they have drifted from their desired state.
                  &quot;exec&quot;: { # A resource that allows executing scripts on the VM. The `ExecResource` has 2 stages: `validate` and `enforce` and both stages accept a script as an argument to execute. When the `ExecResource` is applied by the agent, it first executes the script in the `validate` stage. The `validate` stage can signal that the `ExecResource` is already in the desired state by returning an exit code of `100`. If the `ExecResource` is not in the desired state, it should return an exit code of `101`. Any other exit code returned by this stage is considered an error. If the `ExecResource` is not in the desired state based on the exit code from the `validate` stage, the agent proceeds to execute the script from the `enforce` stage. If the `ExecResource` is already in the desired state, the `enforce` stage will not be run. Similar to `validate` stage, the `enforce` stage should return an exit code of `100` to indicate that the resource in now in its desired state. Any other exit code is considered an error. NOTE: An exit code of `100` was chosen over `0` (and `101` vs `1`) to have an explicit indicator of `in desired state`, `not in desired state` and errors. Because, for example, Powershell will always return an exit code of `0` unless an `exit` statement is provided in the script. So, for reasons of consistency and being explicit, exit codes `100` and `101` were chosen. # Exec resource
                    &quot;enforce&quot;: { # A file or script to execute. # What to run to bring this resource into the desired state. An exit code of 100 indicates &quot;success&quot;, any other exit code indicates a failure running enforce.
                      &quot;args&quot;: [ # Optional arguments to pass to the source during execution.
                        &quot;A String&quot;,
                      ],
                      &quot;file&quot;: { # A remote or local file. # A remote or local file.
                        &quot;allowInsecure&quot;: True or False, # Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
                        &quot;gcs&quot;: { # Specifies a file available as a Cloud Storage Object. # A Cloud Storage object.
                          &quot;bucket&quot;: &quot;A String&quot;, # Required. Bucket of the Cloud Storage object.
                          &quot;generation&quot;: &quot;A String&quot;, # Generation number of the Cloud Storage object.
                          &quot;object&quot;: &quot;A String&quot;, # Required. Name of the Cloud Storage object.
                        },
                        &quot;localPath&quot;: &quot;A String&quot;, # A local path within the VM to use.
                        &quot;remote&quot;: { # Specifies a file available via some URI. # A generic remote file.
                          &quot;sha256Checksum&quot;: &quot;A String&quot;, # SHA256 checksum of the remote file.
                          &quot;uri&quot;: &quot;A String&quot;, # Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.
                        },
                      },
                      &quot;interpreter&quot;: &quot;A String&quot;, # Required. The script interpreter to use.
                      &quot;outputFilePath&quot;: &quot;A String&quot;, # Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 500K bytes.
                      &quot;script&quot;: &quot;A String&quot;, # An inline script. The size of the script is limited to 32KiB.
                    },
                    &quot;validate&quot;: { # A file or script to execute. # Required. What to run to validate this resource is in the desired state. An exit code of 100 indicates &quot;in desired state&quot;, and exit code of 101 indicates &quot;not in desired state&quot;. Any other exit code indicates a failure running validate.
                      &quot;args&quot;: [ # Optional arguments to pass to the source during execution.
                        &quot;A String&quot;,
                      ],
                      &quot;file&quot;: { # A remote or local file. # A remote or local file.
                        &quot;allowInsecure&quot;: True or False, # Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
                        &quot;gcs&quot;: { # Specifies a file available as a Cloud Storage Object. # A Cloud Storage object.
                          &quot;bucket&quot;: &quot;A String&quot;, # Required. Bucket of the Cloud Storage object.
                          &quot;generation&quot;: &quot;A String&quot;, # Generation number of the Cloud Storage object.
                          &quot;object&quot;: &quot;A String&quot;, # Required. Name of the Cloud Storage object.
                        },
                        &quot;localPath&quot;: &quot;A String&quot;, # A local path within the VM to use.
                        &quot;remote&quot;: { # Specifies a file available via some URI. # A generic remote file.
                          &quot;sha256Checksum&quot;: &quot;A String&quot;, # SHA256 checksum of the remote file.
                          &quot;uri&quot;: &quot;A String&quot;, # Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.
                        },
                      },
                      &quot;interpreter&quot;: &quot;A String&quot;, # Required. The script interpreter to use.
                      &quot;outputFilePath&quot;: &quot;A String&quot;, # Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 500K bytes.
                      &quot;script&quot;: &quot;A String&quot;, # An inline script. The size of the script is limited to 32KiB.
                    },
                  },
                  &quot;file&quot;: { # A resource that manages the state of a file. # File resource
                    &quot;content&quot;: &quot;A String&quot;, # A a file with this content. The size of the content is limited to 32KiB.
                    &quot;file&quot;: { # A remote or local file. # A remote or local source.
                      &quot;allowInsecure&quot;: True or False, # Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
                      &quot;gcs&quot;: { # Specifies a file available as a Cloud Storage Object. # A Cloud Storage object.
                        &quot;bucket&quot;: &quot;A String&quot;, # Required. Bucket of the Cloud Storage object.
                        &quot;generation&quot;: &quot;A String&quot;, # Generation number of the Cloud Storage object.
                        &quot;object&quot;: &quot;A String&quot;, # Required. Name of the Cloud Storage object.
                      },
                      &quot;localPath&quot;: &quot;A String&quot;, # A local path within the VM to use.
                      &quot;remote&quot;: { # Specifies a file available via some URI. # A generic remote file.
                        &quot;sha256Checksum&quot;: &quot;A String&quot;, # SHA256 checksum of the remote file.
                        &quot;uri&quot;: &quot;A String&quot;, # Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.
                      },
                    },
                    &quot;path&quot;: &quot;A String&quot;, # Required. The absolute path of the file within the VM.
                    &quot;permissions&quot;: &quot;A String&quot;, # Consists of three octal digits which represent, in order, the permissions of the owner, group, and other users for the file (similarly to the numeric mode used in the linux chmod utility). Each digit represents a three bit number with the 4 bit corresponding to the read permissions, the 2 bit corresponds to the write bit, and the one bit corresponds to the execute permission. Default behavior is 755. Below are some examples of permissions and their associated values: read, write, and execute: 7 read and execute: 5 read and write: 6 read only: 4
                    &quot;state&quot;: &quot;A String&quot;, # Required. Desired state of the file.
                  },
                  &quot;id&quot;: &quot;A String&quot;, # Required. The id of the resource with the following restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the OS policy.
                  &quot;pkg&quot;: { # A resource that manages a system package. # Package resource
                    &quot;apt&quot;: { # A package managed by APT. - install: `apt-get update &amp;&amp; apt-get -y install [name]` - remove: `apt-get -y remove [name]` # A package managed by Apt.
                      &quot;name&quot;: &quot;A String&quot;, # Required. Package name.
                    },
                    &quot;deb&quot;: { # A deb package file. dpkg packages only support INSTALLED state. # A deb package file.
                      &quot;pullDeps&quot;: True or False, # Whether dependencies should also be installed. - install when false: `dpkg -i package` - install when true: `apt-get update &amp;&amp; apt-get -y install package.deb`
                      &quot;source&quot;: { # A remote or local file. # Required. A deb package.
                        &quot;allowInsecure&quot;: True or False, # Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
                        &quot;gcs&quot;: { # Specifies a file available as a Cloud Storage Object. # A Cloud Storage object.
                          &quot;bucket&quot;: &quot;A String&quot;, # Required. Bucket of the Cloud Storage object.
                          &quot;generation&quot;: &quot;A String&quot;, # Generation number of the Cloud Storage object.
                          &quot;object&quot;: &quot;A String&quot;, # Required. Name of the Cloud Storage object.
                        },
                        &quot;localPath&quot;: &quot;A String&quot;, # A local path within the VM to use.
                        &quot;remote&quot;: { # Specifies a file available via some URI. # A generic remote file.
                          &quot;sha256Checksum&quot;: &quot;A String&quot;, # SHA256 checksum of the remote file.
                          &quot;uri&quot;: &quot;A String&quot;, # Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.
                        },
                      },
                    },
                    &quot;desiredState&quot;: &quot;A String&quot;, # Required. The desired state the agent should maintain for this package.
                    &quot;googet&quot;: { # A package managed by GooGet. - install: `googet -noconfirm install package` - remove: `googet -noconfirm remove package` # A package managed by GooGet.
                      &quot;name&quot;: &quot;A String&quot;, # Required. Package name.
                    },
                    &quot;msi&quot;: { # An MSI package. MSI packages only support INSTALLED state. # An MSI package.
                      &quot;properties&quot;: [ # Additional properties to use during installation. This should be in the format of Property=Setting. Appended to the defaults of `ACTION=INSTALL REBOOT=ReallySuppress`.
                        &quot;A String&quot;,
                      ],
                      &quot;source&quot;: { # A remote or local file. # Required. The MSI package.
                        &quot;allowInsecure&quot;: True or False, # Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
                        &quot;gcs&quot;: { # Specifies a file available as a Cloud Storage Object. # A Cloud Storage object.
                          &quot;bucket&quot;: &quot;A String&quot;, # Required. Bucket of the Cloud Storage object.
                          &quot;generation&quot;: &quot;A String&quot;, # Generation number of the Cloud Storage object.
                          &quot;object&quot;: &quot;A String&quot;, # Required. Name of the Cloud Storage object.
                        },
                        &quot;localPath&quot;: &quot;A String&quot;, # A local path within the VM to use.
                        &quot;remote&quot;: { # Specifies a file available via some URI. # A generic remote file.
                          &quot;sha256Checksum&quot;: &quot;A String&quot;, # SHA256 checksum of the remote file.
                          &quot;uri&quot;: &quot;A String&quot;, # Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.
                        },
                      },
                    },
                    &quot;rpm&quot;: { # An RPM package file. RPM packages only support INSTALLED state. # An rpm package file.
                      &quot;pullDeps&quot;: True or False, # Whether dependencies should also be installed. - install when false: `rpm --upgrade --replacepkgs package.rpm` - install when true: `yum -y install package.rpm` or `zypper -y install package.rpm`
                      &quot;source&quot;: { # A remote or local file. # Required. An rpm package.
                        &quot;allowInsecure&quot;: True or False, # Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
                        &quot;gcs&quot;: { # Specifies a file available as a Cloud Storage Object. # A Cloud Storage object.
                          &quot;bucket&quot;: &quot;A String&quot;, # Required. Bucket of the Cloud Storage object.
                          &quot;generation&quot;: &quot;A String&quot;, # Generation number of the Cloud Storage object.
                          &quot;object&quot;: &quot;A String&quot;, # Required. Name of the Cloud Storage object.
                        },
                        &quot;localPath&quot;: &quot;A String&quot;, # A local path within the VM to use.
                        &quot;remote&quot;: { # Specifies a file available via some URI. # A generic remote file.
                          &quot;sha256Checksum&quot;: &quot;A String&quot;, # SHA256 checksum of the remote file.
                          &quot;uri&quot;: &quot;A String&quot;, # Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.
                        },
                      },
                    },
                    &quot;yum&quot;: { # A package managed by YUM. - install: `yum -y install package` - remove: `yum -y remove package` # A package managed by YUM.
                      &quot;name&quot;: &quot;A String&quot;, # Required. Package name.
                    },
                    &quot;zypper&quot;: { # A package managed by Zypper. - install: `zypper -y install package` - remove: `zypper -y rm package` # A package managed by Zypper.
                      &quot;name&quot;: &quot;A String&quot;, # Required. Package name.
                    },
                  },
                  &quot;repository&quot;: { # A resource that manages a package repository. # Package repository resource
                    &quot;apt&quot;: { # Represents a single apt package repository. These will be added to a repo file that will be managed at `/etc/apt/sources.list.d/google_osconfig.list`. # An Apt Repository.
                      &quot;archiveType&quot;: &quot;A String&quot;, # Required. Type of archive files in this repository.
                      &quot;components&quot;: [ # Required. List of components for this repository. Must contain at least one item.
                        &quot;A String&quot;,
                      ],
                      &quot;distribution&quot;: &quot;A String&quot;, # Required. Distribution of this repository.
                      &quot;gpgKey&quot;: &quot;A String&quot;, # URI of the key file for this repository. The agent maintains a keyring at `/etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg`.
                      &quot;uri&quot;: &quot;A String&quot;, # Required. URI for this repository.
                    },
                    &quot;goo&quot;: { # Represents a Goo package repository. These are added to a repo file that is managed at `C:/ProgramData/GooGet/repos/google_osconfig.repo`. # A Goo Repository.
                      &quot;name&quot;: &quot;A String&quot;, # Required. The name of the repository.
                      &quot;url&quot;: &quot;A String&quot;, # Required. The url of the repository.
                    },
                    &quot;yum&quot;: { # Represents a single yum package repository. These are added to a repo file that is managed at `/etc/yum.repos.d/google_osconfig.repo`. # A Yum Repository.
                      &quot;baseUrl&quot;: &quot;A String&quot;, # Required. The location of the repository directory.
                      &quot;displayName&quot;: &quot;A String&quot;, # The display name of the repository.
                      &quot;gpgKeys&quot;: [ # URIs of GPG keys.
                        &quot;A String&quot;,
                      ],
                      &quot;id&quot;: &quot;A String&quot;, # Required. A one word, unique name for this repository. This is the `repo id` in the yum config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for resource conflicts.
                    },
                    &quot;zypper&quot;: { # Represents a single zypper package repository. These are added to a repo file that is managed at `/etc/zypp/repos.d/google_osconfig.repo`. # A Zypper Repository.
                      &quot;baseUrl&quot;: &quot;A String&quot;, # Required. The location of the repository directory.
                      &quot;displayName&quot;: &quot;A String&quot;, # The display name of the repository.
                      &quot;gpgKeys&quot;: [ # URIs of GPG keys.
                        &quot;A String&quot;,
                      ],
                      &quot;id&quot;: &quot;A String&quot;, # Required. A one word, unique name for this repository. This is the `repo id` in the zypper config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for GuestPolicy conflicts.
                    },
                  },
                },
              ],
            },
          ],
        },
      ],
      &quot;reconciling&quot;: True or False, # Output only. Indicates that reconciliation is in progress for the revision. This value is `true` when the `rollout_state` is one of: * IN_PROGRESS * CANCELLING
      &quot;revisionCreateTime&quot;: &quot;A String&quot;, # Output only. The timestamp that the revision was created.
      &quot;revisionId&quot;: &quot;A String&quot;, # Output only. The assignment revision ID A new revision is committed whenever a rollout is triggered for a OS policy assignment
      &quot;rollout&quot;: { # Message to configure the rollout at the zonal level for the OS policy assignment. # Required. Rollout to deploy the OS policy assignment. A rollout is triggered in the following situations: 1) OSPolicyAssignment is created. 2) OSPolicyAssignment is updated and the update contains changes to one of the following fields: - instance_filter - os_policies 3) OSPolicyAssignment is deleted.
        &quot;disruptionBudget&quot;: { # Message encapsulating a value that can be either absolute (&quot;fixed&quot;) or relative (&quot;percent&quot;) to a value. # Required. The maximum number (or percentage) of VMs per zone to disrupt at any given moment.
          &quot;fixed&quot;: 42, # Specifies a fixed value.
          &quot;percent&quot;: 42, # Specifies the relative value defined as a percentage, which will be multiplied by a reference value.
        },
        &quot;minWaitDuration&quot;: &quot;A String&quot;, # Required. This determines the minimum duration of time to wait after the configuration changes are applied through the current rollout. A VM continues to count towards the `disruption_budget` at least until this duration of time has passed after configuration changes are applied.
      },
      &quot;rolloutState&quot;: &quot;A String&quot;, # Output only. OS policy assignment rollout state
      &quot;uid&quot;: &quot;A String&quot;, # Output only. Server generated unique id for the OS policy assignment resource.
    },
  },
  &quot;orchestrationScope&quot;: { # Defines a set of selectors which drive which resources are in scope of policy orchestration. # Optional. Defines scope for the orchestration, in context of the enclosing PolicyOrchestrator resource. Scope is expanded into a list of pairs, in which the rollout action will take place. Expansion starts with a Folder resource parenting the PolicyOrchestrator resource: - All the descendant projects are listed. - List of project is cross joined with a list of all available zones. - Resulting list of pairs is filtered according to the selectors.
    &quot;selectors&quot;: [ # Optional. Selectors of the orchestration scope. There is a logical AND between each selector defined. When there is no explicit `ResourceHierarchySelector` selector specified, the scope is by default bounded to the parent of the policy orchestrator resource.
      { # Selector for the resources in scope of orchestration.
        &quot;locationSelector&quot;: { # Selector containing locations in scope. # Selector for selecting locations.
          &quot;includedLocations&quot;: [ # Optional. Names of the locations in scope. Format: `us-central1-a`
            &quot;A String&quot;,
          ],
        },
        &quot;resourceHierarchySelector&quot;: { # Selector containing Cloud Resource Manager resource hierarchy nodes. # Selector for selecting resource hierarchy.
          &quot;includedFolders&quot;: [ # Optional. Names of the folders in scope. Format: `folders/{folder_id}`
            &quot;A String&quot;,
          ],
          &quot;includedProjects&quot;: [ # Optional. Names of the projects in scope. Format: `projects/{project_number}`
            &quot;A String&quot;,
          ],
        },
      },
    ],
  },
  &quot;orchestrationState&quot;: { # Describes the state of the orchestration process. # Output only. State of the orchestration.
    &quot;currentIterationState&quot;: { # Describes the state of a single iteration of the orchestrator. # Output only. Current Wave iteration state.
      &quot;error&quot;: { # The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). # Output only. Error thrown in the wave iteration.
        &quot;code&quot;: 42, # The status code, which should be an enum value of google.rpc.Code.
        &quot;details&quot;: [ # A list of messages that carry the error details. There is a common set of message types for APIs to use.
          {
            &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
          },
        ],
        &quot;message&quot;: &quot;A String&quot;, # A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.
      },
      &quot;failedActions&quot;: &quot;A String&quot;, # Output only. Number of orchestration actions which failed so far. For more details, query the Cloud Logs.
      &quot;finishTime&quot;: &quot;A String&quot;, # Output only. Finish time of the wave iteration.
      &quot;iterationId&quot;: &quot;A String&quot;, # Output only. Unique identifier of the iteration.
      &quot;performedActions&quot;: &quot;A String&quot;, # Output only. Overall number of actions done by the orchestrator so far.
      &quot;progress&quot;: 3.14, # Output only. An estimated percentage of the progress. Number between 0 and 100.
      &quot;startTime&quot;: &quot;A String&quot;, # Output only. Start time of the wave iteration.
      &quot;state&quot;: &quot;A String&quot;, # Output only. State of the iteration.
    },
    &quot;previousIterationState&quot;: { # Describes the state of a single iteration of the orchestrator. # Output only. Previous Wave iteration state.
      &quot;error&quot;: { # The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). # Output only. Error thrown in the wave iteration.
        &quot;code&quot;: 42, # The status code, which should be an enum value of google.rpc.Code.
        &quot;details&quot;: [ # A list of messages that carry the error details. There is a common set of message types for APIs to use.
          {
            &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
          },
        ],
        &quot;message&quot;: &quot;A String&quot;, # A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.
      },
      &quot;failedActions&quot;: &quot;A String&quot;, # Output only. Number of orchestration actions which failed so far. For more details, query the Cloud Logs.
      &quot;finishTime&quot;: &quot;A String&quot;, # Output only. Finish time of the wave iteration.
      &quot;iterationId&quot;: &quot;A String&quot;, # Output only. Unique identifier of the iteration.
      &quot;performedActions&quot;: &quot;A String&quot;, # Output only. Overall number of actions done by the orchestrator so far.
      &quot;progress&quot;: 3.14, # Output only. An estimated percentage of the progress. Number between 0 and 100.
      &quot;startTime&quot;: &quot;A String&quot;, # Output only. Start time of the wave iteration.
      &quot;state&quot;: &quot;A String&quot;, # Output only. State of the iteration.
    },
  },
  &quot;reconciling&quot;: True or False, # Output only. Set to true, if the there are ongoing changes being applied by the orchestrator.
  &quot;state&quot;: &quot;A String&quot;, # Optional. State of the orchestrator. Can be updated to change orchestrator behaviour. Allowed values: - `ACTIVE` - orchestrator is actively looking for actions to be taken. - `STOPPED` - orchestrator won&#x27;t make any changes. Note: There might be more states added in the future. We use string here instead of an enum, to avoid the need of propagating new states to all the client code.
  &quot;updateTime&quot;: &quot;A String&quot;, # Output only. Timestamp when the policy orchestrator resource was last modified.
}

  policyOrchestratorId: string, Required. The logical identifier of the policy orchestrator, with the following restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the parent.
  requestId: string, Optional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # This resource represents a long-running operation that is the result of a network API call.
  &quot;done&quot;: True or False, # If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
  &quot;error&quot;: { # The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). # The error result of the operation in case of failure or cancellation.
    &quot;code&quot;: 42, # The status code, which should be an enum value of google.rpc.Code.
    &quot;details&quot;: [ # A list of messages that carry the error details. There is a common set of message types for APIs to use.
      {
        &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
      },
    ],
    &quot;message&quot;: &quot;A String&quot;, # A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.
  },
  &quot;metadata&quot;: { # Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any.
    &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
  },
  &quot;name&quot;: &quot;A String&quot;, # The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`.
  &quot;response&quot;: { # The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`.
    &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
  },
}</pre>
</div>

<div class="method">
    <code class="details" id="delete">delete(name, etag=None, requestId=None, x__xgafv=None)</code>
  <pre>Deletes an existing policy orchestrator resource, parented by a project.

Args:
  name: string, Required. Name of the resource to be deleted. (required)
  etag: string, Optional. The current etag of the policy orchestrator. If an etag is provided and does not match the current etag of the policy orchestrator, deletion will be blocked and an ABORTED error will be returned.
  requestId: string, Optional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes after the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # This resource represents a long-running operation that is the result of a network API call.
  &quot;done&quot;: True or False, # If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
  &quot;error&quot;: { # The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). # The error result of the operation in case of failure or cancellation.
    &quot;code&quot;: 42, # The status code, which should be an enum value of google.rpc.Code.
    &quot;details&quot;: [ # A list of messages that carry the error details. There is a common set of message types for APIs to use.
      {
        &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
      },
    ],
    &quot;message&quot;: &quot;A String&quot;, # A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.
  },
  &quot;metadata&quot;: { # Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any.
    &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
  },
  &quot;name&quot;: &quot;A String&quot;, # The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`.
  &quot;response&quot;: { # The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`.
    &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
  },
}</pre>
</div>

<div class="method">
    <code class="details" id="get">get(name, x__xgafv=None)</code>
  <pre>Retrieves an existing policy orchestrator, parented by a project.

Args:
  name: string, Required. The resource name. (required)
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # PolicyOrchestrator helps managing project+zone level policy resources (e.g. OS Policy Assignments), by providing tools to create, update and delete them across projects and locations, at scale. Policy orchestrator functions as an endless loop. Each iteration orchestrator computes a set of resources that should be affected, then progressively applies changes to them. If for some reason this set of resources changes over time (e.g. new projects are added), the future loop iterations will address that. Orchestrator can either upsert or delete policy resources. For more details, see the description of the `action`, and `orchestrated_resource` fields. Note that policy orchestrator do not &quot;manage&quot; the resources it creates. Every iteration is independent and only minimal history of past actions is retained (apart from Cloud Logging). If orchestrator gets deleted, it does not affect the resources it created in the past. Those will remain where they were. Same applies if projects are removed from the orchestrator&#x27;s scope.
  &quot;action&quot;: &quot;A String&quot;, # Required. Action to be done by the orchestrator in `projects/{project_id}/zones/{zone_id}` locations defined by the `orchestration_scope`. Allowed values: - `UPSERT` - Orchestrator will create or update target resources. - `DELETE` - Orchestrator will delete target resources, if they exist
  &quot;createTime&quot;: &quot;A String&quot;, # Output only. Timestamp when the policy orchestrator resource was created.
  &quot;description&quot;: &quot;A String&quot;, # Optional. Freeform text describing the purpose of the resource.
  &quot;etag&quot;: &quot;A String&quot;, # Output only. This checksum is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
  &quot;labels&quot;: { # Optional. Labels as key value pairs
    &quot;a_key&quot;: &quot;A String&quot;,
  },
  &quot;name&quot;: &quot;A String&quot;, # Immutable. Identifier. In form of * `organizations/{organization_id}/locations/global/policyOrchestrators/{orchestrator_id}` * `folders/{folder_id}/locations/global/policyOrchestrators/{orchestrator_id}` * `projects/{project_id_or_number}/locations/global/policyOrchestrators/{orchestrator_id}`
  &quot;orchestratedResource&quot;: { # Represents a resource that is being orchestrated by the policy orchestrator. # Required. Resource to be orchestrated by the policy orchestrator.
    &quot;id&quot;: &quot;A String&quot;, # Optional. ID of the resource to be used while generating set of affected resources. For UPSERT action the value is auto-generated during PolicyOrchestrator creation when not set. When the value is set it should following next restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the project. For DELETE action, ID must be specified explicitly during PolicyOrchestrator creation.
    &quot;osPolicyAssignmentV1Payload&quot;: { # OS policy assignment is an API resource that is used to apply a set of OS policies to a dynamically targeted group of Compute Engine VM instances. An OS policy is used to define the desired state configuration for a Compute Engine VM instance through a set of configuration resources that provide capabilities such as installing or removing software packages, or executing a script. For more information about the OS policy resource definitions and examples, see [OS policy and OS policy assignment](https://cloud.google.com/compute/docs/os-configuration-management/working-with-os-policies). # Optional. OSPolicyAssignment resource to be created, updated or deleted. Name field is ignored and replace with a generated value. With this field set, orchestrator will perform actions on `project/{project}/locations/{zone}/osPolicyAssignments/{resource_id}` resources, where `project` and `zone` pairs come from the expanded scope, and `resource_id` comes from the `resource_id` field of orchestrator resource.
      &quot;baseline&quot;: True or False, # Output only. Indicates that this revision has been successfully rolled out in this zone and new VMs will be assigned OS policies from this revision. For a given OS policy assignment, there is only one revision with a value of `true` for this field.
      &quot;deleted&quot;: True or False, # Output only. Indicates that this revision deletes the OS policy assignment.
      &quot;description&quot;: &quot;A String&quot;, # OS policy assignment description. Length of the description is limited to 1024 characters.
      &quot;etag&quot;: &quot;A String&quot;, # The etag for this OS policy assignment. If this is provided on update, it must match the server&#x27;s etag.
      &quot;instanceFilter&quot;: { # Filters to select target VMs for an assignment. If more than one filter criteria is specified below, a VM will be selected if and only if it satisfies all of them. # Required. Filter to select VMs.
        &quot;all&quot;: True or False, # Target all VMs in the project. If true, no other criteria is permitted.
        &quot;exclusionLabels&quot;: [ # List of label sets used for VM exclusion. If the list has more than one label set, the VM is excluded if any of the label sets are applicable for the VM.
          { # Message representing label set. * A label is a key value pair set for a VM. * A LabelSet is a set of labels. * Labels within a LabelSet are ANDed. In other words, a LabelSet is applicable for a VM only if it matches all the labels in the LabelSet. * Example: A LabelSet with 2 labels: `env=prod` and `type=webserver` will only be applicable for those VMs with both labels present.
            &quot;labels&quot;: { # Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected.
              &quot;a_key&quot;: &quot;A String&quot;,
            },
          },
        ],
        &quot;inclusionLabels&quot;: [ # List of label sets used for VM inclusion. If the list has more than one `LabelSet`, the VM is included if any of the label sets are applicable for the VM.
          { # Message representing label set. * A label is a key value pair set for a VM. * A LabelSet is a set of labels. * Labels within a LabelSet are ANDed. In other words, a LabelSet is applicable for a VM only if it matches all the labels in the LabelSet. * Example: A LabelSet with 2 labels: `env=prod` and `type=webserver` will only be applicable for those VMs with both labels present.
            &quot;labels&quot;: { # Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected.
              &quot;a_key&quot;: &quot;A String&quot;,
            },
          },
        ],
        &quot;inventories&quot;: [ # List of inventories to select VMs. A VM is selected if its inventory data matches at least one of the following inventories.
          { # VM inventory details.
            &quot;osShortName&quot;: &quot;A String&quot;, # Required. The OS short name
            &quot;osVersion&quot;: &quot;A String&quot;, # The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions.
          },
        ],
      },
      &quot;name&quot;: &quot;A String&quot;, # Resource name. Format: `projects/{project_number}/locations/{location}/osPolicyAssignments/{os_policy_assignment_id}` This field is ignored when you create an OS policy assignment.
      &quot;osPolicies&quot;: [ # Required. List of OS policies to be applied to the VMs.
        { # An OS policy defines the desired state configuration for a VM.
          &quot;allowNoResourceGroupMatch&quot;: True or False, # This flag determines the OS policy compliance status when none of the resource groups within the policy are applicable for a VM. Set this value to `true` if the policy needs to be reported as compliant even if the policy has nothing to validate or enforce.
          &quot;description&quot;: &quot;A String&quot;, # Policy description. Length of the description is limited to 1024 characters.
          &quot;id&quot;: &quot;A String&quot;, # Required. The id of the OS policy with the following restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the assignment.
          &quot;mode&quot;: &quot;A String&quot;, # Required. Policy mode
          &quot;resourceGroups&quot;: [ # Required. List of resource groups for the policy. For a particular VM, resource groups are evaluated in the order specified and the first resource group that is applicable is selected and the rest are ignored. If none of the resource groups are applicable for a VM, the VM is considered to be non-compliant w.r.t this policy. This behavior can be toggled by the flag `allow_no_resource_group_match`
            { # Resource groups provide a mechanism to group OS policy resources. Resource groups enable OS policy authors to create a single OS policy to be applied to VMs running different operating Systems. When the OS policy is applied to a target VM, the appropriate resource group within the OS policy is selected based on the `OSFilter` specified within the resource group.
              &quot;inventoryFilters&quot;: [ # List of inventory filters for the resource group. The resources in this resource group are applied to the target VM if it satisfies at least one of the following inventory filters. For example, to apply this resource group to VMs running either `RHEL` or `CentOS` operating systems, specify 2 items for the list with following values: inventory_filters[0].os_short_name=&#x27;rhel&#x27; and inventory_filters[1].os_short_name=&#x27;centos&#x27; If the list is empty, this resource group will be applied to the target VM unconditionally.
                { # Filtering criteria to select VMs based on inventory details.
                  &quot;osShortName&quot;: &quot;A String&quot;, # Required. The OS short name
                  &quot;osVersion&quot;: &quot;A String&quot;, # The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions.
                },
              ],
              &quot;resources&quot;: [ # Required. List of resources configured for this resource group. The resources are executed in the exact order specified here.
                { # An OS policy resource is used to define the desired state configuration and provides a specific functionality like installing/removing packages, executing a script etc. The system ensures that resources are always in their desired state by taking necessary actions if they have drifted from their desired state.
                  &quot;exec&quot;: { # A resource that allows executing scripts on the VM. The `ExecResource` has 2 stages: `validate` and `enforce` and both stages accept a script as an argument to execute. When the `ExecResource` is applied by the agent, it first executes the script in the `validate` stage. The `validate` stage can signal that the `ExecResource` is already in the desired state by returning an exit code of `100`. If the `ExecResource` is not in the desired state, it should return an exit code of `101`. Any other exit code returned by this stage is considered an error. If the `ExecResource` is not in the desired state based on the exit code from the `validate` stage, the agent proceeds to execute the script from the `enforce` stage. If the `ExecResource` is already in the desired state, the `enforce` stage will not be run. Similar to `validate` stage, the `enforce` stage should return an exit code of `100` to indicate that the resource in now in its desired state. Any other exit code is considered an error. NOTE: An exit code of `100` was chosen over `0` (and `101` vs `1`) to have an explicit indicator of `in desired state`, `not in desired state` and errors. Because, for example, Powershell will always return an exit code of `0` unless an `exit` statement is provided in the script. So, for reasons of consistency and being explicit, exit codes `100` and `101` were chosen. # Exec resource
                    &quot;enforce&quot;: { # A file or script to execute. # What to run to bring this resource into the desired state. An exit code of 100 indicates &quot;success&quot;, any other exit code indicates a failure running enforce.
                      &quot;args&quot;: [ # Optional arguments to pass to the source during execution.
                        &quot;A String&quot;,
                      ],
                      &quot;file&quot;: { # A remote or local file. # A remote or local file.
                        &quot;allowInsecure&quot;: True or False, # Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
                        &quot;gcs&quot;: { # Specifies a file available as a Cloud Storage Object. # A Cloud Storage object.
                          &quot;bucket&quot;: &quot;A String&quot;, # Required. Bucket of the Cloud Storage object.
                          &quot;generation&quot;: &quot;A String&quot;, # Generation number of the Cloud Storage object.
                          &quot;object&quot;: &quot;A String&quot;, # Required. Name of the Cloud Storage object.
                        },
                        &quot;localPath&quot;: &quot;A String&quot;, # A local path within the VM to use.
                        &quot;remote&quot;: { # Specifies a file available via some URI. # A generic remote file.
                          &quot;sha256Checksum&quot;: &quot;A String&quot;, # SHA256 checksum of the remote file.
                          &quot;uri&quot;: &quot;A String&quot;, # Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.
                        },
                      },
                      &quot;interpreter&quot;: &quot;A String&quot;, # Required. The script interpreter to use.
                      &quot;outputFilePath&quot;: &quot;A String&quot;, # Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 500K bytes.
                      &quot;script&quot;: &quot;A String&quot;, # An inline script. The size of the script is limited to 32KiB.
                    },
                    &quot;validate&quot;: { # A file or script to execute. # Required. What to run to validate this resource is in the desired state. An exit code of 100 indicates &quot;in desired state&quot;, and exit code of 101 indicates &quot;not in desired state&quot;. Any other exit code indicates a failure running validate.
                      &quot;args&quot;: [ # Optional arguments to pass to the source during execution.
                        &quot;A String&quot;,
                      ],
                      &quot;file&quot;: { # A remote or local file. # A remote or local file.
                        &quot;allowInsecure&quot;: True or False, # Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
                        &quot;gcs&quot;: { # Specifies a file available as a Cloud Storage Object. # A Cloud Storage object.
                          &quot;bucket&quot;: &quot;A String&quot;, # Required. Bucket of the Cloud Storage object.
                          &quot;generation&quot;: &quot;A String&quot;, # Generation number of the Cloud Storage object.
                          &quot;object&quot;: &quot;A String&quot;, # Required. Name of the Cloud Storage object.
                        },
                        &quot;localPath&quot;: &quot;A String&quot;, # A local path within the VM to use.
                        &quot;remote&quot;: { # Specifies a file available via some URI. # A generic remote file.
                          &quot;sha256Checksum&quot;: &quot;A String&quot;, # SHA256 checksum of the remote file.
                          &quot;uri&quot;: &quot;A String&quot;, # Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.
                        },
                      },
                      &quot;interpreter&quot;: &quot;A String&quot;, # Required. The script interpreter to use.
                      &quot;outputFilePath&quot;: &quot;A String&quot;, # Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 500K bytes.
                      &quot;script&quot;: &quot;A String&quot;, # An inline script. The size of the script is limited to 32KiB.
                    },
                  },
                  &quot;file&quot;: { # A resource that manages the state of a file. # File resource
                    &quot;content&quot;: &quot;A String&quot;, # A a file with this content. The size of the content is limited to 32KiB.
                    &quot;file&quot;: { # A remote or local file. # A remote or local source.
                      &quot;allowInsecure&quot;: True or False, # Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
                      &quot;gcs&quot;: { # Specifies a file available as a Cloud Storage Object. # A Cloud Storage object.
                        &quot;bucket&quot;: &quot;A String&quot;, # Required. Bucket of the Cloud Storage object.
                        &quot;generation&quot;: &quot;A String&quot;, # Generation number of the Cloud Storage object.
                        &quot;object&quot;: &quot;A String&quot;, # Required. Name of the Cloud Storage object.
                      },
                      &quot;localPath&quot;: &quot;A String&quot;, # A local path within the VM to use.
                      &quot;remote&quot;: { # Specifies a file available via some URI. # A generic remote file.
                        &quot;sha256Checksum&quot;: &quot;A String&quot;, # SHA256 checksum of the remote file.
                        &quot;uri&quot;: &quot;A String&quot;, # Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.
                      },
                    },
                    &quot;path&quot;: &quot;A String&quot;, # Required. The absolute path of the file within the VM.
                    &quot;permissions&quot;: &quot;A String&quot;, # Consists of three octal digits which represent, in order, the permissions of the owner, group, and other users for the file (similarly to the numeric mode used in the linux chmod utility). Each digit represents a three bit number with the 4 bit corresponding to the read permissions, the 2 bit corresponds to the write bit, and the one bit corresponds to the execute permission. Default behavior is 755. Below are some examples of permissions and their associated values: read, write, and execute: 7 read and execute: 5 read and write: 6 read only: 4
                    &quot;state&quot;: &quot;A String&quot;, # Required. Desired state of the file.
                  },
                  &quot;id&quot;: &quot;A String&quot;, # Required. The id of the resource with the following restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the OS policy.
                  &quot;pkg&quot;: { # A resource that manages a system package. # Package resource
                    &quot;apt&quot;: { # A package managed by APT. - install: `apt-get update &amp;&amp; apt-get -y install [name]` - remove: `apt-get -y remove [name]` # A package managed by Apt.
                      &quot;name&quot;: &quot;A String&quot;, # Required. Package name.
                    },
                    &quot;deb&quot;: { # A deb package file. dpkg packages only support INSTALLED state. # A deb package file.
                      &quot;pullDeps&quot;: True or False, # Whether dependencies should also be installed. - install when false: `dpkg -i package` - install when true: `apt-get update &amp;&amp; apt-get -y install package.deb`
                      &quot;source&quot;: { # A remote or local file. # Required. A deb package.
                        &quot;allowInsecure&quot;: True or False, # Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
                        &quot;gcs&quot;: { # Specifies a file available as a Cloud Storage Object. # A Cloud Storage object.
                          &quot;bucket&quot;: &quot;A String&quot;, # Required. Bucket of the Cloud Storage object.
                          &quot;generation&quot;: &quot;A String&quot;, # Generation number of the Cloud Storage object.
                          &quot;object&quot;: &quot;A String&quot;, # Required. Name of the Cloud Storage object.
                        },
                        &quot;localPath&quot;: &quot;A String&quot;, # A local path within the VM to use.
                        &quot;remote&quot;: { # Specifies a file available via some URI. # A generic remote file.
                          &quot;sha256Checksum&quot;: &quot;A String&quot;, # SHA256 checksum of the remote file.
                          &quot;uri&quot;: &quot;A String&quot;, # Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.
                        },
                      },
                    },
                    &quot;desiredState&quot;: &quot;A String&quot;, # Required. The desired state the agent should maintain for this package.
                    &quot;googet&quot;: { # A package managed by GooGet. - install: `googet -noconfirm install package` - remove: `googet -noconfirm remove package` # A package managed by GooGet.
                      &quot;name&quot;: &quot;A String&quot;, # Required. Package name.
                    },
                    &quot;msi&quot;: { # An MSI package. MSI packages only support INSTALLED state. # An MSI package.
                      &quot;properties&quot;: [ # Additional properties to use during installation. This should be in the format of Property=Setting. Appended to the defaults of `ACTION=INSTALL REBOOT=ReallySuppress`.
                        &quot;A String&quot;,
                      ],
                      &quot;source&quot;: { # A remote or local file. # Required. The MSI package.
                        &quot;allowInsecure&quot;: True or False, # Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
                        &quot;gcs&quot;: { # Specifies a file available as a Cloud Storage Object. # A Cloud Storage object.
                          &quot;bucket&quot;: &quot;A String&quot;, # Required. Bucket of the Cloud Storage object.
                          &quot;generation&quot;: &quot;A String&quot;, # Generation number of the Cloud Storage object.
                          &quot;object&quot;: &quot;A String&quot;, # Required. Name of the Cloud Storage object.
                        },
                        &quot;localPath&quot;: &quot;A String&quot;, # A local path within the VM to use.
                        &quot;remote&quot;: { # Specifies a file available via some URI. # A generic remote file.
                          &quot;sha256Checksum&quot;: &quot;A String&quot;, # SHA256 checksum of the remote file.
                          &quot;uri&quot;: &quot;A String&quot;, # Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.
                        },
                      },
                    },
                    &quot;rpm&quot;: { # An RPM package file. RPM packages only support INSTALLED state. # An rpm package file.
                      &quot;pullDeps&quot;: True or False, # Whether dependencies should also be installed. - install when false: `rpm --upgrade --replacepkgs package.rpm` - install when true: `yum -y install package.rpm` or `zypper -y install package.rpm`
                      &quot;source&quot;: { # A remote or local file. # Required. An rpm package.
                        &quot;allowInsecure&quot;: True or False, # Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
                        &quot;gcs&quot;: { # Specifies a file available as a Cloud Storage Object. # A Cloud Storage object.
                          &quot;bucket&quot;: &quot;A String&quot;, # Required. Bucket of the Cloud Storage object.
                          &quot;generation&quot;: &quot;A String&quot;, # Generation number of the Cloud Storage object.
                          &quot;object&quot;: &quot;A String&quot;, # Required. Name of the Cloud Storage object.
                        },
                        &quot;localPath&quot;: &quot;A String&quot;, # A local path within the VM to use.
                        &quot;remote&quot;: { # Specifies a file available via some URI. # A generic remote file.
                          &quot;sha256Checksum&quot;: &quot;A String&quot;, # SHA256 checksum of the remote file.
                          &quot;uri&quot;: &quot;A String&quot;, # Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.
                        },
                      },
                    },
                    &quot;yum&quot;: { # A package managed by YUM. - install: `yum -y install package` - remove: `yum -y remove package` # A package managed by YUM.
                      &quot;name&quot;: &quot;A String&quot;, # Required. Package name.
                    },
                    &quot;zypper&quot;: { # A package managed by Zypper. - install: `zypper -y install package` - remove: `zypper -y rm package` # A package managed by Zypper.
                      &quot;name&quot;: &quot;A String&quot;, # Required. Package name.
                    },
                  },
                  &quot;repository&quot;: { # A resource that manages a package repository. # Package repository resource
                    &quot;apt&quot;: { # Represents a single apt package repository. These will be added to a repo file that will be managed at `/etc/apt/sources.list.d/google_osconfig.list`. # An Apt Repository.
                      &quot;archiveType&quot;: &quot;A String&quot;, # Required. Type of archive files in this repository.
                      &quot;components&quot;: [ # Required. List of components for this repository. Must contain at least one item.
                        &quot;A String&quot;,
                      ],
                      &quot;distribution&quot;: &quot;A String&quot;, # Required. Distribution of this repository.
                      &quot;gpgKey&quot;: &quot;A String&quot;, # URI of the key file for this repository. The agent maintains a keyring at `/etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg`.
                      &quot;uri&quot;: &quot;A String&quot;, # Required. URI for this repository.
                    },
                    &quot;goo&quot;: { # Represents a Goo package repository. These are added to a repo file that is managed at `C:/ProgramData/GooGet/repos/google_osconfig.repo`. # A Goo Repository.
                      &quot;name&quot;: &quot;A String&quot;, # Required. The name of the repository.
                      &quot;url&quot;: &quot;A String&quot;, # Required. The url of the repository.
                    },
                    &quot;yum&quot;: { # Represents a single yum package repository. These are added to a repo file that is managed at `/etc/yum.repos.d/google_osconfig.repo`. # A Yum Repository.
                      &quot;baseUrl&quot;: &quot;A String&quot;, # Required. The location of the repository directory.
                      &quot;displayName&quot;: &quot;A String&quot;, # The display name of the repository.
                      &quot;gpgKeys&quot;: [ # URIs of GPG keys.
                        &quot;A String&quot;,
                      ],
                      &quot;id&quot;: &quot;A String&quot;, # Required. A one word, unique name for this repository. This is the `repo id` in the yum config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for resource conflicts.
                    },
                    &quot;zypper&quot;: { # Represents a single zypper package repository. These are added to a repo file that is managed at `/etc/zypp/repos.d/google_osconfig.repo`. # A Zypper Repository.
                      &quot;baseUrl&quot;: &quot;A String&quot;, # Required. The location of the repository directory.
                      &quot;displayName&quot;: &quot;A String&quot;, # The display name of the repository.
                      &quot;gpgKeys&quot;: [ # URIs of GPG keys.
                        &quot;A String&quot;,
                      ],
                      &quot;id&quot;: &quot;A String&quot;, # Required. A one word, unique name for this repository. This is the `repo id` in the zypper config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for GuestPolicy conflicts.
                    },
                  },
                },
              ],
            },
          ],
        },
      ],
      &quot;reconciling&quot;: True or False, # Output only. Indicates that reconciliation is in progress for the revision. This value is `true` when the `rollout_state` is one of: * IN_PROGRESS * CANCELLING
      &quot;revisionCreateTime&quot;: &quot;A String&quot;, # Output only. The timestamp that the revision was created.
      &quot;revisionId&quot;: &quot;A String&quot;, # Output only. The assignment revision ID A new revision is committed whenever a rollout is triggered for a OS policy assignment
      &quot;rollout&quot;: { # Message to configure the rollout at the zonal level for the OS policy assignment. # Required. Rollout to deploy the OS policy assignment. A rollout is triggered in the following situations: 1) OSPolicyAssignment is created. 2) OSPolicyAssignment is updated and the update contains changes to one of the following fields: - instance_filter - os_policies 3) OSPolicyAssignment is deleted.
        &quot;disruptionBudget&quot;: { # Message encapsulating a value that can be either absolute (&quot;fixed&quot;) or relative (&quot;percent&quot;) to a value. # Required. The maximum number (or percentage) of VMs per zone to disrupt at any given moment.
          &quot;fixed&quot;: 42, # Specifies a fixed value.
          &quot;percent&quot;: 42, # Specifies the relative value defined as a percentage, which will be multiplied by a reference value.
        },
        &quot;minWaitDuration&quot;: &quot;A String&quot;, # Required. This determines the minimum duration of time to wait after the configuration changes are applied through the current rollout. A VM continues to count towards the `disruption_budget` at least until this duration of time has passed after configuration changes are applied.
      },
      &quot;rolloutState&quot;: &quot;A String&quot;, # Output only. OS policy assignment rollout state
      &quot;uid&quot;: &quot;A String&quot;, # Output only. Server generated unique id for the OS policy assignment resource.
    },
  },
  &quot;orchestrationScope&quot;: { # Defines a set of selectors which drive which resources are in scope of policy orchestration. # Optional. Defines scope for the orchestration, in context of the enclosing PolicyOrchestrator resource. Scope is expanded into a list of pairs, in which the rollout action will take place. Expansion starts with a Folder resource parenting the PolicyOrchestrator resource: - All the descendant projects are listed. - List of project is cross joined with a list of all available zones. - Resulting list of pairs is filtered according to the selectors.
    &quot;selectors&quot;: [ # Optional. Selectors of the orchestration scope. There is a logical AND between each selector defined. When there is no explicit `ResourceHierarchySelector` selector specified, the scope is by default bounded to the parent of the policy orchestrator resource.
      { # Selector for the resources in scope of orchestration.
        &quot;locationSelector&quot;: { # Selector containing locations in scope. # Selector for selecting locations.
          &quot;includedLocations&quot;: [ # Optional. Names of the locations in scope. Format: `us-central1-a`
            &quot;A String&quot;,
          ],
        },
        &quot;resourceHierarchySelector&quot;: { # Selector containing Cloud Resource Manager resource hierarchy nodes. # Selector for selecting resource hierarchy.
          &quot;includedFolders&quot;: [ # Optional. Names of the folders in scope. Format: `folders/{folder_id}`
            &quot;A String&quot;,
          ],
          &quot;includedProjects&quot;: [ # Optional. Names of the projects in scope. Format: `projects/{project_number}`
            &quot;A String&quot;,
          ],
        },
      },
    ],
  },
  &quot;orchestrationState&quot;: { # Describes the state of the orchestration process. # Output only. State of the orchestration.
    &quot;currentIterationState&quot;: { # Describes the state of a single iteration of the orchestrator. # Output only. Current Wave iteration state.
      &quot;error&quot;: { # The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). # Output only. Error thrown in the wave iteration.
        &quot;code&quot;: 42, # The status code, which should be an enum value of google.rpc.Code.
        &quot;details&quot;: [ # A list of messages that carry the error details. There is a common set of message types for APIs to use.
          {
            &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
          },
        ],
        &quot;message&quot;: &quot;A String&quot;, # A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.
      },
      &quot;failedActions&quot;: &quot;A String&quot;, # Output only. Number of orchestration actions which failed so far. For more details, query the Cloud Logs.
      &quot;finishTime&quot;: &quot;A String&quot;, # Output only. Finish time of the wave iteration.
      &quot;iterationId&quot;: &quot;A String&quot;, # Output only. Unique identifier of the iteration.
      &quot;performedActions&quot;: &quot;A String&quot;, # Output only. Overall number of actions done by the orchestrator so far.
      &quot;progress&quot;: 3.14, # Output only. An estimated percentage of the progress. Number between 0 and 100.
      &quot;startTime&quot;: &quot;A String&quot;, # Output only. Start time of the wave iteration.
      &quot;state&quot;: &quot;A String&quot;, # Output only. State of the iteration.
    },
    &quot;previousIterationState&quot;: { # Describes the state of a single iteration of the orchestrator. # Output only. Previous Wave iteration state.
      &quot;error&quot;: { # The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). # Output only. Error thrown in the wave iteration.
        &quot;code&quot;: 42, # The status code, which should be an enum value of google.rpc.Code.
        &quot;details&quot;: [ # A list of messages that carry the error details. There is a common set of message types for APIs to use.
          {
            &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
          },
        ],
        &quot;message&quot;: &quot;A String&quot;, # A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.
      },
      &quot;failedActions&quot;: &quot;A String&quot;, # Output only. Number of orchestration actions which failed so far. For more details, query the Cloud Logs.
      &quot;finishTime&quot;: &quot;A String&quot;, # Output only. Finish time of the wave iteration.
      &quot;iterationId&quot;: &quot;A String&quot;, # Output only. Unique identifier of the iteration.
      &quot;performedActions&quot;: &quot;A String&quot;, # Output only. Overall number of actions done by the orchestrator so far.
      &quot;progress&quot;: 3.14, # Output only. An estimated percentage of the progress. Number between 0 and 100.
      &quot;startTime&quot;: &quot;A String&quot;, # Output only. Start time of the wave iteration.
      &quot;state&quot;: &quot;A String&quot;, # Output only. State of the iteration.
    },
  },
  &quot;reconciling&quot;: True or False, # Output only. Set to true, if the there are ongoing changes being applied by the orchestrator.
  &quot;state&quot;: &quot;A String&quot;, # Optional. State of the orchestrator. Can be updated to change orchestrator behaviour. Allowed values: - `ACTIVE` - orchestrator is actively looking for actions to be taken. - `STOPPED` - orchestrator won&#x27;t make any changes. Note: There might be more states added in the future. We use string here instead of an enum, to avoid the need of propagating new states to all the client code.
  &quot;updateTime&quot;: &quot;A String&quot;, # Output only. Timestamp when the policy orchestrator resource was last modified.
}</pre>
</div>

<div class="method">
    <code class="details" id="list">list(parent, filter=None, orderBy=None, pageSize=None, pageToken=None, x__xgafv=None)</code>
  <pre>Lists the policy orchestrators under the given parent project resource.

Args:
  parent: string, Required. The parent resource name. (required)
  filter: string, Optional. Filtering results
  orderBy: string, Optional. Hint for how to order the results
  pageSize: integer, Optional. Requested page size. Server may return fewer items than requested. If unspecified, server will pick an appropriate default.
  pageToken: string, Optional. A token identifying a page of results the server should return.
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # Response for the list policy orchestrator resources.
  &quot;nextPageToken&quot;: &quot;A String&quot;, # A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages.
  &quot;policyOrchestrators&quot;: [ # The policy orchestrators for the specified parent resource.
    { # PolicyOrchestrator helps managing project+zone level policy resources (e.g. OS Policy Assignments), by providing tools to create, update and delete them across projects and locations, at scale. Policy orchestrator functions as an endless loop. Each iteration orchestrator computes a set of resources that should be affected, then progressively applies changes to them. If for some reason this set of resources changes over time (e.g. new projects are added), the future loop iterations will address that. Orchestrator can either upsert or delete policy resources. For more details, see the description of the `action`, and `orchestrated_resource` fields. Note that policy orchestrator do not &quot;manage&quot; the resources it creates. Every iteration is independent and only minimal history of past actions is retained (apart from Cloud Logging). If orchestrator gets deleted, it does not affect the resources it created in the past. Those will remain where they were. Same applies if projects are removed from the orchestrator&#x27;s scope.
      &quot;action&quot;: &quot;A String&quot;, # Required. Action to be done by the orchestrator in `projects/{project_id}/zones/{zone_id}` locations defined by the `orchestration_scope`. Allowed values: - `UPSERT` - Orchestrator will create or update target resources. - `DELETE` - Orchestrator will delete target resources, if they exist
      &quot;createTime&quot;: &quot;A String&quot;, # Output only. Timestamp when the policy orchestrator resource was created.
      &quot;description&quot;: &quot;A String&quot;, # Optional. Freeform text describing the purpose of the resource.
      &quot;etag&quot;: &quot;A String&quot;, # Output only. This checksum is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
      &quot;labels&quot;: { # Optional. Labels as key value pairs
        &quot;a_key&quot;: &quot;A String&quot;,
      },
      &quot;name&quot;: &quot;A String&quot;, # Immutable. Identifier. In form of * `organizations/{organization_id}/locations/global/policyOrchestrators/{orchestrator_id}` * `folders/{folder_id}/locations/global/policyOrchestrators/{orchestrator_id}` * `projects/{project_id_or_number}/locations/global/policyOrchestrators/{orchestrator_id}`
      &quot;orchestratedResource&quot;: { # Represents a resource that is being orchestrated by the policy orchestrator. # Required. Resource to be orchestrated by the policy orchestrator.
        &quot;id&quot;: &quot;A String&quot;, # Optional. ID of the resource to be used while generating set of affected resources. For UPSERT action the value is auto-generated during PolicyOrchestrator creation when not set. When the value is set it should following next restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the project. For DELETE action, ID must be specified explicitly during PolicyOrchestrator creation.
        &quot;osPolicyAssignmentV1Payload&quot;: { # OS policy assignment is an API resource that is used to apply a set of OS policies to a dynamically targeted group of Compute Engine VM instances. An OS policy is used to define the desired state configuration for a Compute Engine VM instance through a set of configuration resources that provide capabilities such as installing or removing software packages, or executing a script. For more information about the OS policy resource definitions and examples, see [OS policy and OS policy assignment](https://cloud.google.com/compute/docs/os-configuration-management/working-with-os-policies). # Optional. OSPolicyAssignment resource to be created, updated or deleted. Name field is ignored and replace with a generated value. With this field set, orchestrator will perform actions on `project/{project}/locations/{zone}/osPolicyAssignments/{resource_id}` resources, where `project` and `zone` pairs come from the expanded scope, and `resource_id` comes from the `resource_id` field of orchestrator resource.
          &quot;baseline&quot;: True or False, # Output only. Indicates that this revision has been successfully rolled out in this zone and new VMs will be assigned OS policies from this revision. For a given OS policy assignment, there is only one revision with a value of `true` for this field.
          &quot;deleted&quot;: True or False, # Output only. Indicates that this revision deletes the OS policy assignment.
          &quot;description&quot;: &quot;A String&quot;, # OS policy assignment description. Length of the description is limited to 1024 characters.
          &quot;etag&quot;: &quot;A String&quot;, # The etag for this OS policy assignment. If this is provided on update, it must match the server&#x27;s etag.
          &quot;instanceFilter&quot;: { # Filters to select target VMs for an assignment. If more than one filter criteria is specified below, a VM will be selected if and only if it satisfies all of them. # Required. Filter to select VMs.
            &quot;all&quot;: True or False, # Target all VMs in the project. If true, no other criteria is permitted.
            &quot;exclusionLabels&quot;: [ # List of label sets used for VM exclusion. If the list has more than one label set, the VM is excluded if any of the label sets are applicable for the VM.
              { # Message representing label set. * A label is a key value pair set for a VM. * A LabelSet is a set of labels. * Labels within a LabelSet are ANDed. In other words, a LabelSet is applicable for a VM only if it matches all the labels in the LabelSet. * Example: A LabelSet with 2 labels: `env=prod` and `type=webserver` will only be applicable for those VMs with both labels present.
                &quot;labels&quot;: { # Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected.
                  &quot;a_key&quot;: &quot;A String&quot;,
                },
              },
            ],
            &quot;inclusionLabels&quot;: [ # List of label sets used for VM inclusion. If the list has more than one `LabelSet`, the VM is included if any of the label sets are applicable for the VM.
              { # Message representing label set. * A label is a key value pair set for a VM. * A LabelSet is a set of labels. * Labels within a LabelSet are ANDed. In other words, a LabelSet is applicable for a VM only if it matches all the labels in the LabelSet. * Example: A LabelSet with 2 labels: `env=prod` and `type=webserver` will only be applicable for those VMs with both labels present.
                &quot;labels&quot;: { # Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected.
                  &quot;a_key&quot;: &quot;A String&quot;,
                },
              },
            ],
            &quot;inventories&quot;: [ # List of inventories to select VMs. A VM is selected if its inventory data matches at least one of the following inventories.
              { # VM inventory details.
                &quot;osShortName&quot;: &quot;A String&quot;, # Required. The OS short name
                &quot;osVersion&quot;: &quot;A String&quot;, # The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions.
              },
            ],
          },
          &quot;name&quot;: &quot;A String&quot;, # Resource name. Format: `projects/{project_number}/locations/{location}/osPolicyAssignments/{os_policy_assignment_id}` This field is ignored when you create an OS policy assignment.
          &quot;osPolicies&quot;: [ # Required. List of OS policies to be applied to the VMs.
            { # An OS policy defines the desired state configuration for a VM.
              &quot;allowNoResourceGroupMatch&quot;: True or False, # This flag determines the OS policy compliance status when none of the resource groups within the policy are applicable for a VM. Set this value to `true` if the policy needs to be reported as compliant even if the policy has nothing to validate or enforce.
              &quot;description&quot;: &quot;A String&quot;, # Policy description. Length of the description is limited to 1024 characters.
              &quot;id&quot;: &quot;A String&quot;, # Required. The id of the OS policy with the following restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the assignment.
              &quot;mode&quot;: &quot;A String&quot;, # Required. Policy mode
              &quot;resourceGroups&quot;: [ # Required. List of resource groups for the policy. For a particular VM, resource groups are evaluated in the order specified and the first resource group that is applicable is selected and the rest are ignored. If none of the resource groups are applicable for a VM, the VM is considered to be non-compliant w.r.t this policy. This behavior can be toggled by the flag `allow_no_resource_group_match`
                { # Resource groups provide a mechanism to group OS policy resources. Resource groups enable OS policy authors to create a single OS policy to be applied to VMs running different operating Systems. When the OS policy is applied to a target VM, the appropriate resource group within the OS policy is selected based on the `OSFilter` specified within the resource group.
                  &quot;inventoryFilters&quot;: [ # List of inventory filters for the resource group. The resources in this resource group are applied to the target VM if it satisfies at least one of the following inventory filters. For example, to apply this resource group to VMs running either `RHEL` or `CentOS` operating systems, specify 2 items for the list with following values: inventory_filters[0].os_short_name=&#x27;rhel&#x27; and inventory_filters[1].os_short_name=&#x27;centos&#x27; If the list is empty, this resource group will be applied to the target VM unconditionally.
                    { # Filtering criteria to select VMs based on inventory details.
                      &quot;osShortName&quot;: &quot;A String&quot;, # Required. The OS short name
                      &quot;osVersion&quot;: &quot;A String&quot;, # The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions.
                    },
                  ],
                  &quot;resources&quot;: [ # Required. List of resources configured for this resource group. The resources are executed in the exact order specified here.
                    { # An OS policy resource is used to define the desired state configuration and provides a specific functionality like installing/removing packages, executing a script etc. The system ensures that resources are always in their desired state by taking necessary actions if they have drifted from their desired state.
                      &quot;exec&quot;: { # A resource that allows executing scripts on the VM. The `ExecResource` has 2 stages: `validate` and `enforce` and both stages accept a script as an argument to execute. When the `ExecResource` is applied by the agent, it first executes the script in the `validate` stage. The `validate` stage can signal that the `ExecResource` is already in the desired state by returning an exit code of `100`. If the `ExecResource` is not in the desired state, it should return an exit code of `101`. Any other exit code returned by this stage is considered an error. If the `ExecResource` is not in the desired state based on the exit code from the `validate` stage, the agent proceeds to execute the script from the `enforce` stage. If the `ExecResource` is already in the desired state, the `enforce` stage will not be run. Similar to `validate` stage, the `enforce` stage should return an exit code of `100` to indicate that the resource in now in its desired state. Any other exit code is considered an error. NOTE: An exit code of `100` was chosen over `0` (and `101` vs `1`) to have an explicit indicator of `in desired state`, `not in desired state` and errors. Because, for example, Powershell will always return an exit code of `0` unless an `exit` statement is provided in the script. So, for reasons of consistency and being explicit, exit codes `100` and `101` were chosen. # Exec resource
                        &quot;enforce&quot;: { # A file or script to execute. # What to run to bring this resource into the desired state. An exit code of 100 indicates &quot;success&quot;, any other exit code indicates a failure running enforce.
                          &quot;args&quot;: [ # Optional arguments to pass to the source during execution.
                            &quot;A String&quot;,
                          ],
                          &quot;file&quot;: { # A remote or local file. # A remote or local file.
                            &quot;allowInsecure&quot;: True or False, # Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
                            &quot;gcs&quot;: { # Specifies a file available as a Cloud Storage Object. # A Cloud Storage object.
                              &quot;bucket&quot;: &quot;A String&quot;, # Required. Bucket of the Cloud Storage object.
                              &quot;generation&quot;: &quot;A String&quot;, # Generation number of the Cloud Storage object.
                              &quot;object&quot;: &quot;A String&quot;, # Required. Name of the Cloud Storage object.
                            },
                            &quot;localPath&quot;: &quot;A String&quot;, # A local path within the VM to use.
                            &quot;remote&quot;: { # Specifies a file available via some URI. # A generic remote file.
                              &quot;sha256Checksum&quot;: &quot;A String&quot;, # SHA256 checksum of the remote file.
                              &quot;uri&quot;: &quot;A String&quot;, # Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.
                            },
                          },
                          &quot;interpreter&quot;: &quot;A String&quot;, # Required. The script interpreter to use.
                          &quot;outputFilePath&quot;: &quot;A String&quot;, # Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 500K bytes.
                          &quot;script&quot;: &quot;A String&quot;, # An inline script. The size of the script is limited to 32KiB.
                        },
                        &quot;validate&quot;: { # A file or script to execute. # Required. What to run to validate this resource is in the desired state. An exit code of 100 indicates &quot;in desired state&quot;, and exit code of 101 indicates &quot;not in desired state&quot;. Any other exit code indicates a failure running validate.
                          &quot;args&quot;: [ # Optional arguments to pass to the source during execution.
                            &quot;A String&quot;,
                          ],
                          &quot;file&quot;: { # A remote or local file. # A remote or local file.
                            &quot;allowInsecure&quot;: True or False, # Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
                            &quot;gcs&quot;: { # Specifies a file available as a Cloud Storage Object. # A Cloud Storage object.
                              &quot;bucket&quot;: &quot;A String&quot;, # Required. Bucket of the Cloud Storage object.
                              &quot;generation&quot;: &quot;A String&quot;, # Generation number of the Cloud Storage object.
                              &quot;object&quot;: &quot;A String&quot;, # Required. Name of the Cloud Storage object.
                            },
                            &quot;localPath&quot;: &quot;A String&quot;, # A local path within the VM to use.
                            &quot;remote&quot;: { # Specifies a file available via some URI. # A generic remote file.
                              &quot;sha256Checksum&quot;: &quot;A String&quot;, # SHA256 checksum of the remote file.
                              &quot;uri&quot;: &quot;A String&quot;, # Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.
                            },
                          },
                          &quot;interpreter&quot;: &quot;A String&quot;, # Required. The script interpreter to use.
                          &quot;outputFilePath&quot;: &quot;A String&quot;, # Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 500K bytes.
                          &quot;script&quot;: &quot;A String&quot;, # An inline script. The size of the script is limited to 32KiB.
                        },
                      },
                      &quot;file&quot;: { # A resource that manages the state of a file. # File resource
                        &quot;content&quot;: &quot;A String&quot;, # A a file with this content. The size of the content is limited to 32KiB.
                        &quot;file&quot;: { # A remote or local file. # A remote or local source.
                          &quot;allowInsecure&quot;: True or False, # Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
                          &quot;gcs&quot;: { # Specifies a file available as a Cloud Storage Object. # A Cloud Storage object.
                            &quot;bucket&quot;: &quot;A String&quot;, # Required. Bucket of the Cloud Storage object.
                            &quot;generation&quot;: &quot;A String&quot;, # Generation number of the Cloud Storage object.
                            &quot;object&quot;: &quot;A String&quot;, # Required. Name of the Cloud Storage object.
                          },
                          &quot;localPath&quot;: &quot;A String&quot;, # A local path within the VM to use.
                          &quot;remote&quot;: { # Specifies a file available via some URI. # A generic remote file.
                            &quot;sha256Checksum&quot;: &quot;A String&quot;, # SHA256 checksum of the remote file.
                            &quot;uri&quot;: &quot;A String&quot;, # Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.
                          },
                        },
                        &quot;path&quot;: &quot;A String&quot;, # Required. The absolute path of the file within the VM.
                        &quot;permissions&quot;: &quot;A String&quot;, # Consists of three octal digits which represent, in order, the permissions of the owner, group, and other users for the file (similarly to the numeric mode used in the linux chmod utility). Each digit represents a three bit number with the 4 bit corresponding to the read permissions, the 2 bit corresponds to the write bit, and the one bit corresponds to the execute permission. Default behavior is 755. Below are some examples of permissions and their associated values: read, write, and execute: 7 read and execute: 5 read and write: 6 read only: 4
                        &quot;state&quot;: &quot;A String&quot;, # Required. Desired state of the file.
                      },
                      &quot;id&quot;: &quot;A String&quot;, # Required. The id of the resource with the following restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the OS policy.
                      &quot;pkg&quot;: { # A resource that manages a system package. # Package resource
                        &quot;apt&quot;: { # A package managed by APT. - install: `apt-get update &amp;&amp; apt-get -y install [name]` - remove: `apt-get -y remove [name]` # A package managed by Apt.
                          &quot;name&quot;: &quot;A String&quot;, # Required. Package name.
                        },
                        &quot;deb&quot;: { # A deb package file. dpkg packages only support INSTALLED state. # A deb package file.
                          &quot;pullDeps&quot;: True or False, # Whether dependencies should also be installed. - install when false: `dpkg -i package` - install when true: `apt-get update &amp;&amp; apt-get -y install package.deb`
                          &quot;source&quot;: { # A remote or local file. # Required. A deb package.
                            &quot;allowInsecure&quot;: True or False, # Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
                            &quot;gcs&quot;: { # Specifies a file available as a Cloud Storage Object. # A Cloud Storage object.
                              &quot;bucket&quot;: &quot;A String&quot;, # Required. Bucket of the Cloud Storage object.
                              &quot;generation&quot;: &quot;A String&quot;, # Generation number of the Cloud Storage object.
                              &quot;object&quot;: &quot;A String&quot;, # Required. Name of the Cloud Storage object.
                            },
                            &quot;localPath&quot;: &quot;A String&quot;, # A local path within the VM to use.
                            &quot;remote&quot;: { # Specifies a file available via some URI. # A generic remote file.
                              &quot;sha256Checksum&quot;: &quot;A String&quot;, # SHA256 checksum of the remote file.
                              &quot;uri&quot;: &quot;A String&quot;, # Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.
                            },
                          },
                        },
                        &quot;desiredState&quot;: &quot;A String&quot;, # Required. The desired state the agent should maintain for this package.
                        &quot;googet&quot;: { # A package managed by GooGet. - install: `googet -noconfirm install package` - remove: `googet -noconfirm remove package` # A package managed by GooGet.
                          &quot;name&quot;: &quot;A String&quot;, # Required. Package name.
                        },
                        &quot;msi&quot;: { # An MSI package. MSI packages only support INSTALLED state. # An MSI package.
                          &quot;properties&quot;: [ # Additional properties to use during installation. This should be in the format of Property=Setting. Appended to the defaults of `ACTION=INSTALL REBOOT=ReallySuppress`.
                            &quot;A String&quot;,
                          ],
                          &quot;source&quot;: { # A remote or local file. # Required. The MSI package.
                            &quot;allowInsecure&quot;: True or False, # Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
                            &quot;gcs&quot;: { # Specifies a file available as a Cloud Storage Object. # A Cloud Storage object.
                              &quot;bucket&quot;: &quot;A String&quot;, # Required. Bucket of the Cloud Storage object.
                              &quot;generation&quot;: &quot;A String&quot;, # Generation number of the Cloud Storage object.
                              &quot;object&quot;: &quot;A String&quot;, # Required. Name of the Cloud Storage object.
                            },
                            &quot;localPath&quot;: &quot;A String&quot;, # A local path within the VM to use.
                            &quot;remote&quot;: { # Specifies a file available via some URI. # A generic remote file.
                              &quot;sha256Checksum&quot;: &quot;A String&quot;, # SHA256 checksum of the remote file.
                              &quot;uri&quot;: &quot;A String&quot;, # Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.
                            },
                          },
                        },
                        &quot;rpm&quot;: { # An RPM package file. RPM packages only support INSTALLED state. # An rpm package file.
                          &quot;pullDeps&quot;: True or False, # Whether dependencies should also be installed. - install when false: `rpm --upgrade --replacepkgs package.rpm` - install when true: `yum -y install package.rpm` or `zypper -y install package.rpm`
                          &quot;source&quot;: { # A remote or local file. # Required. An rpm package.
                            &quot;allowInsecure&quot;: True or False, # Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
                            &quot;gcs&quot;: { # Specifies a file available as a Cloud Storage Object. # A Cloud Storage object.
                              &quot;bucket&quot;: &quot;A String&quot;, # Required. Bucket of the Cloud Storage object.
                              &quot;generation&quot;: &quot;A String&quot;, # Generation number of the Cloud Storage object.
                              &quot;object&quot;: &quot;A String&quot;, # Required. Name of the Cloud Storage object.
                            },
                            &quot;localPath&quot;: &quot;A String&quot;, # A local path within the VM to use.
                            &quot;remote&quot;: { # Specifies a file available via some URI. # A generic remote file.
                              &quot;sha256Checksum&quot;: &quot;A String&quot;, # SHA256 checksum of the remote file.
                              &quot;uri&quot;: &quot;A String&quot;, # Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.
                            },
                          },
                        },
                        &quot;yum&quot;: { # A package managed by YUM. - install: `yum -y install package` - remove: `yum -y remove package` # A package managed by YUM.
                          &quot;name&quot;: &quot;A String&quot;, # Required. Package name.
                        },
                        &quot;zypper&quot;: { # A package managed by Zypper. - install: `zypper -y install package` - remove: `zypper -y rm package` # A package managed by Zypper.
                          &quot;name&quot;: &quot;A String&quot;, # Required. Package name.
                        },
                      },
                      &quot;repository&quot;: { # A resource that manages a package repository. # Package repository resource
                        &quot;apt&quot;: { # Represents a single apt package repository. These will be added to a repo file that will be managed at `/etc/apt/sources.list.d/google_osconfig.list`. # An Apt Repository.
                          &quot;archiveType&quot;: &quot;A String&quot;, # Required. Type of archive files in this repository.
                          &quot;components&quot;: [ # Required. List of components for this repository. Must contain at least one item.
                            &quot;A String&quot;,
                          ],
                          &quot;distribution&quot;: &quot;A String&quot;, # Required. Distribution of this repository.
                          &quot;gpgKey&quot;: &quot;A String&quot;, # URI of the key file for this repository. The agent maintains a keyring at `/etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg`.
                          &quot;uri&quot;: &quot;A String&quot;, # Required. URI for this repository.
                        },
                        &quot;goo&quot;: { # Represents a Goo package repository. These are added to a repo file that is managed at `C:/ProgramData/GooGet/repos/google_osconfig.repo`. # A Goo Repository.
                          &quot;name&quot;: &quot;A String&quot;, # Required. The name of the repository.
                          &quot;url&quot;: &quot;A String&quot;, # Required. The url of the repository.
                        },
                        &quot;yum&quot;: { # Represents a single yum package repository. These are added to a repo file that is managed at `/etc/yum.repos.d/google_osconfig.repo`. # A Yum Repository.
                          &quot;baseUrl&quot;: &quot;A String&quot;, # Required. The location of the repository directory.
                          &quot;displayName&quot;: &quot;A String&quot;, # The display name of the repository.
                          &quot;gpgKeys&quot;: [ # URIs of GPG keys.
                            &quot;A String&quot;,
                          ],
                          &quot;id&quot;: &quot;A String&quot;, # Required. A one word, unique name for this repository. This is the `repo id` in the yum config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for resource conflicts.
                        },
                        &quot;zypper&quot;: { # Represents a single zypper package repository. These are added to a repo file that is managed at `/etc/zypp/repos.d/google_osconfig.repo`. # A Zypper Repository.
                          &quot;baseUrl&quot;: &quot;A String&quot;, # Required. The location of the repository directory.
                          &quot;displayName&quot;: &quot;A String&quot;, # The display name of the repository.
                          &quot;gpgKeys&quot;: [ # URIs of GPG keys.
                            &quot;A String&quot;,
                          ],
                          &quot;id&quot;: &quot;A String&quot;, # Required. A one word, unique name for this repository. This is the `repo id` in the zypper config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for GuestPolicy conflicts.
                        },
                      },
                    },
                  ],
                },
              ],
            },
          ],
          &quot;reconciling&quot;: True or False, # Output only. Indicates that reconciliation is in progress for the revision. This value is `true` when the `rollout_state` is one of: * IN_PROGRESS * CANCELLING
          &quot;revisionCreateTime&quot;: &quot;A String&quot;, # Output only. The timestamp that the revision was created.
          &quot;revisionId&quot;: &quot;A String&quot;, # Output only. The assignment revision ID A new revision is committed whenever a rollout is triggered for a OS policy assignment
          &quot;rollout&quot;: { # Message to configure the rollout at the zonal level for the OS policy assignment. # Required. Rollout to deploy the OS policy assignment. A rollout is triggered in the following situations: 1) OSPolicyAssignment is created. 2) OSPolicyAssignment is updated and the update contains changes to one of the following fields: - instance_filter - os_policies 3) OSPolicyAssignment is deleted.
            &quot;disruptionBudget&quot;: { # Message encapsulating a value that can be either absolute (&quot;fixed&quot;) or relative (&quot;percent&quot;) to a value. # Required. The maximum number (or percentage) of VMs per zone to disrupt at any given moment.
              &quot;fixed&quot;: 42, # Specifies a fixed value.
              &quot;percent&quot;: 42, # Specifies the relative value defined as a percentage, which will be multiplied by a reference value.
            },
            &quot;minWaitDuration&quot;: &quot;A String&quot;, # Required. This determines the minimum duration of time to wait after the configuration changes are applied through the current rollout. A VM continues to count towards the `disruption_budget` at least until this duration of time has passed after configuration changes are applied.
          },
          &quot;rolloutState&quot;: &quot;A String&quot;, # Output only. OS policy assignment rollout state
          &quot;uid&quot;: &quot;A String&quot;, # Output only. Server generated unique id for the OS policy assignment resource.
        },
      },
      &quot;orchestrationScope&quot;: { # Defines a set of selectors which drive which resources are in scope of policy orchestration. # Optional. Defines scope for the orchestration, in context of the enclosing PolicyOrchestrator resource. Scope is expanded into a list of pairs, in which the rollout action will take place. Expansion starts with a Folder resource parenting the PolicyOrchestrator resource: - All the descendant projects are listed. - List of project is cross joined with a list of all available zones. - Resulting list of pairs is filtered according to the selectors.
        &quot;selectors&quot;: [ # Optional. Selectors of the orchestration scope. There is a logical AND between each selector defined. When there is no explicit `ResourceHierarchySelector` selector specified, the scope is by default bounded to the parent of the policy orchestrator resource.
          { # Selector for the resources in scope of orchestration.
            &quot;locationSelector&quot;: { # Selector containing locations in scope. # Selector for selecting locations.
              &quot;includedLocations&quot;: [ # Optional. Names of the locations in scope. Format: `us-central1-a`
                &quot;A String&quot;,
              ],
            },
            &quot;resourceHierarchySelector&quot;: { # Selector containing Cloud Resource Manager resource hierarchy nodes. # Selector for selecting resource hierarchy.
              &quot;includedFolders&quot;: [ # Optional. Names of the folders in scope. Format: `folders/{folder_id}`
                &quot;A String&quot;,
              ],
              &quot;includedProjects&quot;: [ # Optional. Names of the projects in scope. Format: `projects/{project_number}`
                &quot;A String&quot;,
              ],
            },
          },
        ],
      },
      &quot;orchestrationState&quot;: { # Describes the state of the orchestration process. # Output only. State of the orchestration.
        &quot;currentIterationState&quot;: { # Describes the state of a single iteration of the orchestrator. # Output only. Current Wave iteration state.
          &quot;error&quot;: { # The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). # Output only. Error thrown in the wave iteration.
            &quot;code&quot;: 42, # The status code, which should be an enum value of google.rpc.Code.
            &quot;details&quot;: [ # A list of messages that carry the error details. There is a common set of message types for APIs to use.
              {
                &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
              },
            ],
            &quot;message&quot;: &quot;A String&quot;, # A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.
          },
          &quot;failedActions&quot;: &quot;A String&quot;, # Output only. Number of orchestration actions which failed so far. For more details, query the Cloud Logs.
          &quot;finishTime&quot;: &quot;A String&quot;, # Output only. Finish time of the wave iteration.
          &quot;iterationId&quot;: &quot;A String&quot;, # Output only. Unique identifier of the iteration.
          &quot;performedActions&quot;: &quot;A String&quot;, # Output only. Overall number of actions done by the orchestrator so far.
          &quot;progress&quot;: 3.14, # Output only. An estimated percentage of the progress. Number between 0 and 100.
          &quot;startTime&quot;: &quot;A String&quot;, # Output only. Start time of the wave iteration.
          &quot;state&quot;: &quot;A String&quot;, # Output only. State of the iteration.
        },
        &quot;previousIterationState&quot;: { # Describes the state of a single iteration of the orchestrator. # Output only. Previous Wave iteration state.
          &quot;error&quot;: { # The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). # Output only. Error thrown in the wave iteration.
            &quot;code&quot;: 42, # The status code, which should be an enum value of google.rpc.Code.
            &quot;details&quot;: [ # A list of messages that carry the error details. There is a common set of message types for APIs to use.
              {
                &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
              },
            ],
            &quot;message&quot;: &quot;A String&quot;, # A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.
          },
          &quot;failedActions&quot;: &quot;A String&quot;, # Output only. Number of orchestration actions which failed so far. For more details, query the Cloud Logs.
          &quot;finishTime&quot;: &quot;A String&quot;, # Output only. Finish time of the wave iteration.
          &quot;iterationId&quot;: &quot;A String&quot;, # Output only. Unique identifier of the iteration.
          &quot;performedActions&quot;: &quot;A String&quot;, # Output only. Overall number of actions done by the orchestrator so far.
          &quot;progress&quot;: 3.14, # Output only. An estimated percentage of the progress. Number between 0 and 100.
          &quot;startTime&quot;: &quot;A String&quot;, # Output only. Start time of the wave iteration.
          &quot;state&quot;: &quot;A String&quot;, # Output only. State of the iteration.
        },
      },
      &quot;reconciling&quot;: True or False, # Output only. Set to true, if the there are ongoing changes being applied by the orchestrator.
      &quot;state&quot;: &quot;A String&quot;, # Optional. State of the orchestrator. Can be updated to change orchestrator behaviour. Allowed values: - `ACTIVE` - orchestrator is actively looking for actions to be taken. - `STOPPED` - orchestrator won&#x27;t make any changes. Note: There might be more states added in the future. We use string here instead of an enum, to avoid the need of propagating new states to all the client code.
      &quot;updateTime&quot;: &quot;A String&quot;, # Output only. Timestamp when the policy orchestrator resource was last modified.
    },
  ],
  &quot;unreachable&quot;: [ # Locations that could not be reached.
    &quot;A String&quot;,
  ],
}</pre>
</div>

<div class="method">
    <code class="details" id="list_next">list_next()</code>
  <pre>Retrieves the next page of results.

        Args:
          previous_request: The request for the previous page. (required)
          previous_response: The response from the request for the previous page. (required)

        Returns:
          A request object that you can call &#x27;execute()&#x27; on to request the next
          page. Returns None if there are no more items in the collection.
        </pre>
</div>

<div class="method">
    <code class="details" id="patch">patch(name, body=None, updateMask=None, x__xgafv=None)</code>
  <pre>Updates an existing policy orchestrator, parented by a project.

Args:
  name: string, Immutable. Identifier. In form of * `organizations/{organization_id}/locations/global/policyOrchestrators/{orchestrator_id}` * `folders/{folder_id}/locations/global/policyOrchestrators/{orchestrator_id}` * `projects/{project_id_or_number}/locations/global/policyOrchestrators/{orchestrator_id}` (required)
  body: object, The request body.
    The object takes the form of:

{ # PolicyOrchestrator helps managing project+zone level policy resources (e.g. OS Policy Assignments), by providing tools to create, update and delete them across projects and locations, at scale. Policy orchestrator functions as an endless loop. Each iteration orchestrator computes a set of resources that should be affected, then progressively applies changes to them. If for some reason this set of resources changes over time (e.g. new projects are added), the future loop iterations will address that. Orchestrator can either upsert or delete policy resources. For more details, see the description of the `action`, and `orchestrated_resource` fields. Note that policy orchestrator do not &quot;manage&quot; the resources it creates. Every iteration is independent and only minimal history of past actions is retained (apart from Cloud Logging). If orchestrator gets deleted, it does not affect the resources it created in the past. Those will remain where they were. Same applies if projects are removed from the orchestrator&#x27;s scope.
  &quot;action&quot;: &quot;A String&quot;, # Required. Action to be done by the orchestrator in `projects/{project_id}/zones/{zone_id}` locations defined by the `orchestration_scope`. Allowed values: - `UPSERT` - Orchestrator will create or update target resources. - `DELETE` - Orchestrator will delete target resources, if they exist
  &quot;createTime&quot;: &quot;A String&quot;, # Output only. Timestamp when the policy orchestrator resource was created.
  &quot;description&quot;: &quot;A String&quot;, # Optional. Freeform text describing the purpose of the resource.
  &quot;etag&quot;: &quot;A String&quot;, # Output only. This checksum is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
  &quot;labels&quot;: { # Optional. Labels as key value pairs
    &quot;a_key&quot;: &quot;A String&quot;,
  },
  &quot;name&quot;: &quot;A String&quot;, # Immutable. Identifier. In form of * `organizations/{organization_id}/locations/global/policyOrchestrators/{orchestrator_id}` * `folders/{folder_id}/locations/global/policyOrchestrators/{orchestrator_id}` * `projects/{project_id_or_number}/locations/global/policyOrchestrators/{orchestrator_id}`
  &quot;orchestratedResource&quot;: { # Represents a resource that is being orchestrated by the policy orchestrator. # Required. Resource to be orchestrated by the policy orchestrator.
    &quot;id&quot;: &quot;A String&quot;, # Optional. ID of the resource to be used while generating set of affected resources. For UPSERT action the value is auto-generated during PolicyOrchestrator creation when not set. When the value is set it should following next restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the project. For DELETE action, ID must be specified explicitly during PolicyOrchestrator creation.
    &quot;osPolicyAssignmentV1Payload&quot;: { # OS policy assignment is an API resource that is used to apply a set of OS policies to a dynamically targeted group of Compute Engine VM instances. An OS policy is used to define the desired state configuration for a Compute Engine VM instance through a set of configuration resources that provide capabilities such as installing or removing software packages, or executing a script. For more information about the OS policy resource definitions and examples, see [OS policy and OS policy assignment](https://cloud.google.com/compute/docs/os-configuration-management/working-with-os-policies). # Optional. OSPolicyAssignment resource to be created, updated or deleted. Name field is ignored and replace with a generated value. With this field set, orchestrator will perform actions on `project/{project}/locations/{zone}/osPolicyAssignments/{resource_id}` resources, where `project` and `zone` pairs come from the expanded scope, and `resource_id` comes from the `resource_id` field of orchestrator resource.
      &quot;baseline&quot;: True or False, # Output only. Indicates that this revision has been successfully rolled out in this zone and new VMs will be assigned OS policies from this revision. For a given OS policy assignment, there is only one revision with a value of `true` for this field.
      &quot;deleted&quot;: True or False, # Output only. Indicates that this revision deletes the OS policy assignment.
      &quot;description&quot;: &quot;A String&quot;, # OS policy assignment description. Length of the description is limited to 1024 characters.
      &quot;etag&quot;: &quot;A String&quot;, # The etag for this OS policy assignment. If this is provided on update, it must match the server&#x27;s etag.
      &quot;instanceFilter&quot;: { # Filters to select target VMs for an assignment. If more than one filter criteria is specified below, a VM will be selected if and only if it satisfies all of them. # Required. Filter to select VMs.
        &quot;all&quot;: True or False, # Target all VMs in the project. If true, no other criteria is permitted.
        &quot;exclusionLabels&quot;: [ # List of label sets used for VM exclusion. If the list has more than one label set, the VM is excluded if any of the label sets are applicable for the VM.
          { # Message representing label set. * A label is a key value pair set for a VM. * A LabelSet is a set of labels. * Labels within a LabelSet are ANDed. In other words, a LabelSet is applicable for a VM only if it matches all the labels in the LabelSet. * Example: A LabelSet with 2 labels: `env=prod` and `type=webserver` will only be applicable for those VMs with both labels present.
            &quot;labels&quot;: { # Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected.
              &quot;a_key&quot;: &quot;A String&quot;,
            },
          },
        ],
        &quot;inclusionLabels&quot;: [ # List of label sets used for VM inclusion. If the list has more than one `LabelSet`, the VM is included if any of the label sets are applicable for the VM.
          { # Message representing label set. * A label is a key value pair set for a VM. * A LabelSet is a set of labels. * Labels within a LabelSet are ANDed. In other words, a LabelSet is applicable for a VM only if it matches all the labels in the LabelSet. * Example: A LabelSet with 2 labels: `env=prod` and `type=webserver` will only be applicable for those VMs with both labels present.
            &quot;labels&quot;: { # Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected.
              &quot;a_key&quot;: &quot;A String&quot;,
            },
          },
        ],
        &quot;inventories&quot;: [ # List of inventories to select VMs. A VM is selected if its inventory data matches at least one of the following inventories.
          { # VM inventory details.
            &quot;osShortName&quot;: &quot;A String&quot;, # Required. The OS short name
            &quot;osVersion&quot;: &quot;A String&quot;, # The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions.
          },
        ],
      },
      &quot;name&quot;: &quot;A String&quot;, # Resource name. Format: `projects/{project_number}/locations/{location}/osPolicyAssignments/{os_policy_assignment_id}` This field is ignored when you create an OS policy assignment.
      &quot;osPolicies&quot;: [ # Required. List of OS policies to be applied to the VMs.
        { # An OS policy defines the desired state configuration for a VM.
          &quot;allowNoResourceGroupMatch&quot;: True or False, # This flag determines the OS policy compliance status when none of the resource groups within the policy are applicable for a VM. Set this value to `true` if the policy needs to be reported as compliant even if the policy has nothing to validate or enforce.
          &quot;description&quot;: &quot;A String&quot;, # Policy description. Length of the description is limited to 1024 characters.
          &quot;id&quot;: &quot;A String&quot;, # Required. The id of the OS policy with the following restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the assignment.
          &quot;mode&quot;: &quot;A String&quot;, # Required. Policy mode
          &quot;resourceGroups&quot;: [ # Required. List of resource groups for the policy. For a particular VM, resource groups are evaluated in the order specified and the first resource group that is applicable is selected and the rest are ignored. If none of the resource groups are applicable for a VM, the VM is considered to be non-compliant w.r.t this policy. This behavior can be toggled by the flag `allow_no_resource_group_match`
            { # Resource groups provide a mechanism to group OS policy resources. Resource groups enable OS policy authors to create a single OS policy to be applied to VMs running different operating Systems. When the OS policy is applied to a target VM, the appropriate resource group within the OS policy is selected based on the `OSFilter` specified within the resource group.
              &quot;inventoryFilters&quot;: [ # List of inventory filters for the resource group. The resources in this resource group are applied to the target VM if it satisfies at least one of the following inventory filters. For example, to apply this resource group to VMs running either `RHEL` or `CentOS` operating systems, specify 2 items for the list with following values: inventory_filters[0].os_short_name=&#x27;rhel&#x27; and inventory_filters[1].os_short_name=&#x27;centos&#x27; If the list is empty, this resource group will be applied to the target VM unconditionally.
                { # Filtering criteria to select VMs based on inventory details.
                  &quot;osShortName&quot;: &quot;A String&quot;, # Required. The OS short name
                  &quot;osVersion&quot;: &quot;A String&quot;, # The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions.
                },
              ],
              &quot;resources&quot;: [ # Required. List of resources configured for this resource group. The resources are executed in the exact order specified here.
                { # An OS policy resource is used to define the desired state configuration and provides a specific functionality like installing/removing packages, executing a script etc. The system ensures that resources are always in their desired state by taking necessary actions if they have drifted from their desired state.
                  &quot;exec&quot;: { # A resource that allows executing scripts on the VM. The `ExecResource` has 2 stages: `validate` and `enforce` and both stages accept a script as an argument to execute. When the `ExecResource` is applied by the agent, it first executes the script in the `validate` stage. The `validate` stage can signal that the `ExecResource` is already in the desired state by returning an exit code of `100`. If the `ExecResource` is not in the desired state, it should return an exit code of `101`. Any other exit code returned by this stage is considered an error. If the `ExecResource` is not in the desired state based on the exit code from the `validate` stage, the agent proceeds to execute the script from the `enforce` stage. If the `ExecResource` is already in the desired state, the `enforce` stage will not be run. Similar to `validate` stage, the `enforce` stage should return an exit code of `100` to indicate that the resource in now in its desired state. Any other exit code is considered an error. NOTE: An exit code of `100` was chosen over `0` (and `101` vs `1`) to have an explicit indicator of `in desired state`, `not in desired state` and errors. Because, for example, Powershell will always return an exit code of `0` unless an `exit` statement is provided in the script. So, for reasons of consistency and being explicit, exit codes `100` and `101` were chosen. # Exec resource
                    &quot;enforce&quot;: { # A file or script to execute. # What to run to bring this resource into the desired state. An exit code of 100 indicates &quot;success&quot;, any other exit code indicates a failure running enforce.
                      &quot;args&quot;: [ # Optional arguments to pass to the source during execution.
                        &quot;A String&quot;,
                      ],
                      &quot;file&quot;: { # A remote or local file. # A remote or local file.
                        &quot;allowInsecure&quot;: True or False, # Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
                        &quot;gcs&quot;: { # Specifies a file available as a Cloud Storage Object. # A Cloud Storage object.
                          &quot;bucket&quot;: &quot;A String&quot;, # Required. Bucket of the Cloud Storage object.
                          &quot;generation&quot;: &quot;A String&quot;, # Generation number of the Cloud Storage object.
                          &quot;object&quot;: &quot;A String&quot;, # Required. Name of the Cloud Storage object.
                        },
                        &quot;localPath&quot;: &quot;A String&quot;, # A local path within the VM to use.
                        &quot;remote&quot;: { # Specifies a file available via some URI. # A generic remote file.
                          &quot;sha256Checksum&quot;: &quot;A String&quot;, # SHA256 checksum of the remote file.
                          &quot;uri&quot;: &quot;A String&quot;, # Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.
                        },
                      },
                      &quot;interpreter&quot;: &quot;A String&quot;, # Required. The script interpreter to use.
                      &quot;outputFilePath&quot;: &quot;A String&quot;, # Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 500K bytes.
                      &quot;script&quot;: &quot;A String&quot;, # An inline script. The size of the script is limited to 32KiB.
                    },
                    &quot;validate&quot;: { # A file or script to execute. # Required. What to run to validate this resource is in the desired state. An exit code of 100 indicates &quot;in desired state&quot;, and exit code of 101 indicates &quot;not in desired state&quot;. Any other exit code indicates a failure running validate.
                      &quot;args&quot;: [ # Optional arguments to pass to the source during execution.
                        &quot;A String&quot;,
                      ],
                      &quot;file&quot;: { # A remote or local file. # A remote or local file.
                        &quot;allowInsecure&quot;: True or False, # Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
                        &quot;gcs&quot;: { # Specifies a file available as a Cloud Storage Object. # A Cloud Storage object.
                          &quot;bucket&quot;: &quot;A String&quot;, # Required. Bucket of the Cloud Storage object.
                          &quot;generation&quot;: &quot;A String&quot;, # Generation number of the Cloud Storage object.
                          &quot;object&quot;: &quot;A String&quot;, # Required. Name of the Cloud Storage object.
                        },
                        &quot;localPath&quot;: &quot;A String&quot;, # A local path within the VM to use.
                        &quot;remote&quot;: { # Specifies a file available via some URI. # A generic remote file.
                          &quot;sha256Checksum&quot;: &quot;A String&quot;, # SHA256 checksum of the remote file.
                          &quot;uri&quot;: &quot;A String&quot;, # Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.
                        },
                      },
                      &quot;interpreter&quot;: &quot;A String&quot;, # Required. The script interpreter to use.
                      &quot;outputFilePath&quot;: &quot;A String&quot;, # Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 500K bytes.
                      &quot;script&quot;: &quot;A String&quot;, # An inline script. The size of the script is limited to 32KiB.
                    },
                  },
                  &quot;file&quot;: { # A resource that manages the state of a file. # File resource
                    &quot;content&quot;: &quot;A String&quot;, # A a file with this content. The size of the content is limited to 32KiB.
                    &quot;file&quot;: { # A remote or local file. # A remote or local source.
                      &quot;allowInsecure&quot;: True or False, # Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
                      &quot;gcs&quot;: { # Specifies a file available as a Cloud Storage Object. # A Cloud Storage object.
                        &quot;bucket&quot;: &quot;A String&quot;, # Required. Bucket of the Cloud Storage object.
                        &quot;generation&quot;: &quot;A String&quot;, # Generation number of the Cloud Storage object.
                        &quot;object&quot;: &quot;A String&quot;, # Required. Name of the Cloud Storage object.
                      },
                      &quot;localPath&quot;: &quot;A String&quot;, # A local path within the VM to use.
                      &quot;remote&quot;: { # Specifies a file available via some URI. # A generic remote file.
                        &quot;sha256Checksum&quot;: &quot;A String&quot;, # SHA256 checksum of the remote file.
                        &quot;uri&quot;: &quot;A String&quot;, # Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.
                      },
                    },
                    &quot;path&quot;: &quot;A String&quot;, # Required. The absolute path of the file within the VM.
                    &quot;permissions&quot;: &quot;A String&quot;, # Consists of three octal digits which represent, in order, the permissions of the owner, group, and other users for the file (similarly to the numeric mode used in the linux chmod utility). Each digit represents a three bit number with the 4 bit corresponding to the read permissions, the 2 bit corresponds to the write bit, and the one bit corresponds to the execute permission. Default behavior is 755. Below are some examples of permissions and their associated values: read, write, and execute: 7 read and execute: 5 read and write: 6 read only: 4
                    &quot;state&quot;: &quot;A String&quot;, # Required. Desired state of the file.
                  },
                  &quot;id&quot;: &quot;A String&quot;, # Required. The id of the resource with the following restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the OS policy.
                  &quot;pkg&quot;: { # A resource that manages a system package. # Package resource
                    &quot;apt&quot;: { # A package managed by APT. - install: `apt-get update &amp;&amp; apt-get -y install [name]` - remove: `apt-get -y remove [name]` # A package managed by Apt.
                      &quot;name&quot;: &quot;A String&quot;, # Required. Package name.
                    },
                    &quot;deb&quot;: { # A deb package file. dpkg packages only support INSTALLED state. # A deb package file.
                      &quot;pullDeps&quot;: True or False, # Whether dependencies should also be installed. - install when false: `dpkg -i package` - install when true: `apt-get update &amp;&amp; apt-get -y install package.deb`
                      &quot;source&quot;: { # A remote or local file. # Required. A deb package.
                        &quot;allowInsecure&quot;: True or False, # Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
                        &quot;gcs&quot;: { # Specifies a file available as a Cloud Storage Object. # A Cloud Storage object.
                          &quot;bucket&quot;: &quot;A String&quot;, # Required. Bucket of the Cloud Storage object.
                          &quot;generation&quot;: &quot;A String&quot;, # Generation number of the Cloud Storage object.
                          &quot;object&quot;: &quot;A String&quot;, # Required. Name of the Cloud Storage object.
                        },
                        &quot;localPath&quot;: &quot;A String&quot;, # A local path within the VM to use.
                        &quot;remote&quot;: { # Specifies a file available via some URI. # A generic remote file.
                          &quot;sha256Checksum&quot;: &quot;A String&quot;, # SHA256 checksum of the remote file.
                          &quot;uri&quot;: &quot;A String&quot;, # Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.
                        },
                      },
                    },
                    &quot;desiredState&quot;: &quot;A String&quot;, # Required. The desired state the agent should maintain for this package.
                    &quot;googet&quot;: { # A package managed by GooGet. - install: `googet -noconfirm install package` - remove: `googet -noconfirm remove package` # A package managed by GooGet.
                      &quot;name&quot;: &quot;A String&quot;, # Required. Package name.
                    },
                    &quot;msi&quot;: { # An MSI package. MSI packages only support INSTALLED state. # An MSI package.
                      &quot;properties&quot;: [ # Additional properties to use during installation. This should be in the format of Property=Setting. Appended to the defaults of `ACTION=INSTALL REBOOT=ReallySuppress`.
                        &quot;A String&quot;,
                      ],
                      &quot;source&quot;: { # A remote or local file. # Required. The MSI package.
                        &quot;allowInsecure&quot;: True or False, # Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
                        &quot;gcs&quot;: { # Specifies a file available as a Cloud Storage Object. # A Cloud Storage object.
                          &quot;bucket&quot;: &quot;A String&quot;, # Required. Bucket of the Cloud Storage object.
                          &quot;generation&quot;: &quot;A String&quot;, # Generation number of the Cloud Storage object.
                          &quot;object&quot;: &quot;A String&quot;, # Required. Name of the Cloud Storage object.
                        },
                        &quot;localPath&quot;: &quot;A String&quot;, # A local path within the VM to use.
                        &quot;remote&quot;: { # Specifies a file available via some URI. # A generic remote file.
                          &quot;sha256Checksum&quot;: &quot;A String&quot;, # SHA256 checksum of the remote file.
                          &quot;uri&quot;: &quot;A String&quot;, # Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.
                        },
                      },
                    },
                    &quot;rpm&quot;: { # An RPM package file. RPM packages only support INSTALLED state. # An rpm package file.
                      &quot;pullDeps&quot;: True or False, # Whether dependencies should also be installed. - install when false: `rpm --upgrade --replacepkgs package.rpm` - install when true: `yum -y install package.rpm` or `zypper -y install package.rpm`
                      &quot;source&quot;: { # A remote or local file. # Required. An rpm package.
                        &quot;allowInsecure&quot;: True or False, # Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
                        &quot;gcs&quot;: { # Specifies a file available as a Cloud Storage Object. # A Cloud Storage object.
                          &quot;bucket&quot;: &quot;A String&quot;, # Required. Bucket of the Cloud Storage object.
                          &quot;generation&quot;: &quot;A String&quot;, # Generation number of the Cloud Storage object.
                          &quot;object&quot;: &quot;A String&quot;, # Required. Name of the Cloud Storage object.
                        },
                        &quot;localPath&quot;: &quot;A String&quot;, # A local path within the VM to use.
                        &quot;remote&quot;: { # Specifies a file available via some URI. # A generic remote file.
                          &quot;sha256Checksum&quot;: &quot;A String&quot;, # SHA256 checksum of the remote file.
                          &quot;uri&quot;: &quot;A String&quot;, # Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`.
                        },
                      },
                    },
                    &quot;yum&quot;: { # A package managed by YUM. - install: `yum -y install package` - remove: `yum -y remove package` # A package managed by YUM.
                      &quot;name&quot;: &quot;A String&quot;, # Required. Package name.
                    },
                    &quot;zypper&quot;: { # A package managed by Zypper. - install: `zypper -y install package` - remove: `zypper -y rm package` # A package managed by Zypper.
                      &quot;name&quot;: &quot;A String&quot;, # Required. Package name.
                    },
                  },
                  &quot;repository&quot;: { # A resource that manages a package repository. # Package repository resource
                    &quot;apt&quot;: { # Represents a single apt package repository. These will be added to a repo file that will be managed at `/etc/apt/sources.list.d/google_osconfig.list`. # An Apt Repository.
                      &quot;archiveType&quot;: &quot;A String&quot;, # Required. Type of archive files in this repository.
                      &quot;components&quot;: [ # Required. List of components for this repository. Must contain at least one item.
                        &quot;A String&quot;,
                      ],
                      &quot;distribution&quot;: &quot;A String&quot;, # Required. Distribution of this repository.
                      &quot;gpgKey&quot;: &quot;A String&quot;, # URI of the key file for this repository. The agent maintains a keyring at `/etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg`.
                      &quot;uri&quot;: &quot;A String&quot;, # Required. URI for this repository.
                    },
                    &quot;goo&quot;: { # Represents a Goo package repository. These are added to a repo file that is managed at `C:/ProgramData/GooGet/repos/google_osconfig.repo`. # A Goo Repository.
                      &quot;name&quot;: &quot;A String&quot;, # Required. The name of the repository.
                      &quot;url&quot;: &quot;A String&quot;, # Required. The url of the repository.
                    },
                    &quot;yum&quot;: { # Represents a single yum package repository. These are added to a repo file that is managed at `/etc/yum.repos.d/google_osconfig.repo`. # A Yum Repository.
                      &quot;baseUrl&quot;: &quot;A String&quot;, # Required. The location of the repository directory.
                      &quot;displayName&quot;: &quot;A String&quot;, # The display name of the repository.
                      &quot;gpgKeys&quot;: [ # URIs of GPG keys.
                        &quot;A String&quot;,
                      ],
                      &quot;id&quot;: &quot;A String&quot;, # Required. A one word, unique name for this repository. This is the `repo id` in the yum config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for resource conflicts.
                    },
                    &quot;zypper&quot;: { # Represents a single zypper package repository. These are added to a repo file that is managed at `/etc/zypp/repos.d/google_osconfig.repo`. # A Zypper Repository.
                      &quot;baseUrl&quot;: &quot;A String&quot;, # Required. The location of the repository directory.
                      &quot;displayName&quot;: &quot;A String&quot;, # The display name of the repository.
                      &quot;gpgKeys&quot;: [ # URIs of GPG keys.
                        &quot;A String&quot;,
                      ],
                      &quot;id&quot;: &quot;A String&quot;, # Required. A one word, unique name for this repository. This is the `repo id` in the zypper config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for GuestPolicy conflicts.
                    },
                  },
                },
              ],
            },
          ],
        },
      ],
      &quot;reconciling&quot;: True or False, # Output only. Indicates that reconciliation is in progress for the revision. This value is `true` when the `rollout_state` is one of: * IN_PROGRESS * CANCELLING
      &quot;revisionCreateTime&quot;: &quot;A String&quot;, # Output only. The timestamp that the revision was created.
      &quot;revisionId&quot;: &quot;A String&quot;, # Output only. The assignment revision ID A new revision is committed whenever a rollout is triggered for a OS policy assignment
      &quot;rollout&quot;: { # Message to configure the rollout at the zonal level for the OS policy assignment. # Required. Rollout to deploy the OS policy assignment. A rollout is triggered in the following situations: 1) OSPolicyAssignment is created. 2) OSPolicyAssignment is updated and the update contains changes to one of the following fields: - instance_filter - os_policies 3) OSPolicyAssignment is deleted.
        &quot;disruptionBudget&quot;: { # Message encapsulating a value that can be either absolute (&quot;fixed&quot;) or relative (&quot;percent&quot;) to a value. # Required. The maximum number (or percentage) of VMs per zone to disrupt at any given moment.
          &quot;fixed&quot;: 42, # Specifies a fixed value.
          &quot;percent&quot;: 42, # Specifies the relative value defined as a percentage, which will be multiplied by a reference value.
        },
        &quot;minWaitDuration&quot;: &quot;A String&quot;, # Required. This determines the minimum duration of time to wait after the configuration changes are applied through the current rollout. A VM continues to count towards the `disruption_budget` at least until this duration of time has passed after configuration changes are applied.
      },
      &quot;rolloutState&quot;: &quot;A String&quot;, # Output only. OS policy assignment rollout state
      &quot;uid&quot;: &quot;A String&quot;, # Output only. Server generated unique id for the OS policy assignment resource.
    },
  },
  &quot;orchestrationScope&quot;: { # Defines a set of selectors which drive which resources are in scope of policy orchestration. # Optional. Defines scope for the orchestration, in context of the enclosing PolicyOrchestrator resource. Scope is expanded into a list of pairs, in which the rollout action will take place. Expansion starts with a Folder resource parenting the PolicyOrchestrator resource: - All the descendant projects are listed. - List of project is cross joined with a list of all available zones. - Resulting list of pairs is filtered according to the selectors.
    &quot;selectors&quot;: [ # Optional. Selectors of the orchestration scope. There is a logical AND between each selector defined. When there is no explicit `ResourceHierarchySelector` selector specified, the scope is by default bounded to the parent of the policy orchestrator resource.
      { # Selector for the resources in scope of orchestration.
        &quot;locationSelector&quot;: { # Selector containing locations in scope. # Selector for selecting locations.
          &quot;includedLocations&quot;: [ # Optional. Names of the locations in scope. Format: `us-central1-a`
            &quot;A String&quot;,
          ],
        },
        &quot;resourceHierarchySelector&quot;: { # Selector containing Cloud Resource Manager resource hierarchy nodes. # Selector for selecting resource hierarchy.
          &quot;includedFolders&quot;: [ # Optional. Names of the folders in scope. Format: `folders/{folder_id}`
            &quot;A String&quot;,
          ],
          &quot;includedProjects&quot;: [ # Optional. Names of the projects in scope. Format: `projects/{project_number}`
            &quot;A String&quot;,
          ],
        },
      },
    ],
  },
  &quot;orchestrationState&quot;: { # Describes the state of the orchestration process. # Output only. State of the orchestration.
    &quot;currentIterationState&quot;: { # Describes the state of a single iteration of the orchestrator. # Output only. Current Wave iteration state.
      &quot;error&quot;: { # The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). # Output only. Error thrown in the wave iteration.
        &quot;code&quot;: 42, # The status code, which should be an enum value of google.rpc.Code.
        &quot;details&quot;: [ # A list of messages that carry the error details. There is a common set of message types for APIs to use.
          {
            &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
          },
        ],
        &quot;message&quot;: &quot;A String&quot;, # A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.
      },
      &quot;failedActions&quot;: &quot;A String&quot;, # Output only. Number of orchestration actions which failed so far. For more details, query the Cloud Logs.
      &quot;finishTime&quot;: &quot;A String&quot;, # Output only. Finish time of the wave iteration.
      &quot;iterationId&quot;: &quot;A String&quot;, # Output only. Unique identifier of the iteration.
      &quot;performedActions&quot;: &quot;A String&quot;, # Output only. Overall number of actions done by the orchestrator so far.
      &quot;progress&quot;: 3.14, # Output only. An estimated percentage of the progress. Number between 0 and 100.
      &quot;startTime&quot;: &quot;A String&quot;, # Output only. Start time of the wave iteration.
      &quot;state&quot;: &quot;A String&quot;, # Output only. State of the iteration.
    },
    &quot;previousIterationState&quot;: { # Describes the state of a single iteration of the orchestrator. # Output only. Previous Wave iteration state.
      &quot;error&quot;: { # The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). # Output only. Error thrown in the wave iteration.
        &quot;code&quot;: 42, # The status code, which should be an enum value of google.rpc.Code.
        &quot;details&quot;: [ # A list of messages that carry the error details. There is a common set of message types for APIs to use.
          {
            &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
          },
        ],
        &quot;message&quot;: &quot;A String&quot;, # A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.
      },
      &quot;failedActions&quot;: &quot;A String&quot;, # Output only. Number of orchestration actions which failed so far. For more details, query the Cloud Logs.
      &quot;finishTime&quot;: &quot;A String&quot;, # Output only. Finish time of the wave iteration.
      &quot;iterationId&quot;: &quot;A String&quot;, # Output only. Unique identifier of the iteration.
      &quot;performedActions&quot;: &quot;A String&quot;, # Output only. Overall number of actions done by the orchestrator so far.
      &quot;progress&quot;: 3.14, # Output only. An estimated percentage of the progress. Number between 0 and 100.
      &quot;startTime&quot;: &quot;A String&quot;, # Output only. Start time of the wave iteration.
      &quot;state&quot;: &quot;A String&quot;, # Output only. State of the iteration.
    },
  },
  &quot;reconciling&quot;: True or False, # Output only. Set to true, if the there are ongoing changes being applied by the orchestrator.
  &quot;state&quot;: &quot;A String&quot;, # Optional. State of the orchestrator. Can be updated to change orchestrator behaviour. Allowed values: - `ACTIVE` - orchestrator is actively looking for actions to be taken. - `STOPPED` - orchestrator won&#x27;t make any changes. Note: There might be more states added in the future. We use string here instead of an enum, to avoid the need of propagating new states to all the client code.
  &quot;updateTime&quot;: &quot;A String&quot;, # Output only. Timestamp when the policy orchestrator resource was last modified.
}

  updateMask: string, Optional. The list of fields to merge into the existing policy orchestrator. A special [&quot;*&quot;] field mask can be used to simply replace the entire resource. Otherwise, for all paths referenced in the mask, following merge rules are used: * output only fields are ignored, * primitive fields are replaced, * repeated fields are replaced, * map fields are merged key by key, * message fields are cleared if not set in the request, otherwise they are merged recursively (in particular - message fields set to an empty message has no side effects) If field mask (or its paths) is not specified, it is automatically inferred from the request using following rules: * primitive fields are listed, if set to a non-default value (as there is no way to distinguish between default and unset value), * map and repeated fields are listed, * `google.protobuf.Any` fields are listed, * other message fields are traversed recursively. Note: implicit mask does not allow clearing fields.
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # This resource represents a long-running operation that is the result of a network API call.
  &quot;done&quot;: True or False, # If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
  &quot;error&quot;: { # The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). # The error result of the operation in case of failure or cancellation.
    &quot;code&quot;: 42, # The status code, which should be an enum value of google.rpc.Code.
    &quot;details&quot;: [ # A list of messages that carry the error details. There is a common set of message types for APIs to use.
      {
        &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
      },
    ],
    &quot;message&quot;: &quot;A String&quot;, # A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.
  },
  &quot;metadata&quot;: { # Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any.
    &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
  },
  &quot;name&quot;: &quot;A String&quot;, # The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`.
  &quot;response&quot;: { # The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`.
    &quot;a_key&quot;: &quot;&quot;, # Properties of the object. Contains field @type with type URL.
  },
}</pre>
</div>

</body></html>